Transcript
Install Guide FortiMail Version 3.0 MR2
www.fortinet.com
FortiMail Install Guide Version 3.0 MR2 12 December 2007 06-30002-0234-20071212 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Regulatory compliance FCC Class A Part 15 CSA/CUS
!
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.
Contents
Contents Introduction ........................................................................................ 7 Register your FortiMail unit .............................................................................. 7 About the FortiMail unit .................................................................................... 7 FortiMail-100 ................................................................................................. FortiMail-400 ................................................................................................. FortiMail-2000/2000A .................................................................................... FortiMail-4000/4000A ....................................................................................
8 8 8 8
About this document......................................................................................... 8 Document conventions.................................................................................. 9 FortiMail documentation ................................................................................... 9 Fortinet Knowledge Center ........................................................................ 10 Comments on Fortinet technical documentation ........................................ 10 Customer service and technical support ...................................................... 10
Email Concepts ................................................................................ 11 FortiMail modes ............................................................................................... 11 Gateway mode ............................................................................................ 11 Transparent mode ....................................................................................... 12 Server mode................................................................................................ 13 Email protocols................................................................................................ 13 POP3........................................................................................................... 13 IMAP ........................................................................................................... 14 SMTP .......................................................................................................... 14 Definitions ........................................................................................................ 14 MX record.................................................................................................... A record....................................................................................................... MTA............................................................................................................. MUA ............................................................................................................ White and Black lists ................................................................................... Grey lists ..................................................................................................... Bayesian scanning ...................................................................................... Heuristic scanning .......................................................................................
14 15 15 15 16 16 16 17
Installing ........................................................................................... 19 Environmental specifications......................................................................... 19 Cautions and warnings ................................................................................... 19 Grounding ................................................................................................... 19 Rack mount instructions .............................................................................. 20
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
3
Contents
Mounting .......................................................................................................... 20 FortiMail-100 ............................................................................................... 20 FortiMail-400 ............................................................................................... 20 FortiMail-2000A and FortiMail-4000A ......................................................... 21 Plugging in the FortiMail unit ......................................................................... 24 FortiMail-100 ............................................................................................... FortiMail-400 ............................................................................................... FortiMail-2000/A and FortiMail-4000/A ....................................................... Connecting to the network ..........................................................................
24 24 25 25
Turning off the FortiMail unit.......................................................................... 25 Connecting to the FortiMail unit .................................................................... 25 Web-based manager .................................................................................. 26 Command line interface .............................................................................. 26 LCD front control buttons ............................................................................ 27 Configuring the FortiMail unit ........................................................................ 28 Management modes ................................................................................... 28 Quick Start wizard ....................................................................................... 28
Configuring gateway mode............................................................. 29 Switching to gateway mode ........................................................................... 29 FortiMail Gateway behind a firewall............................................................... 30 Configuring the network settings................................................................. Configuring the email system settings ........................................................ Configuring the firewall ............................................................................... Routing outgoing email to the FortiMail Gateway ....................................... Next Steps ..................................................................................................
30 32 35 37 37
FortiMail Gateway in front of a firewall.......................................................... 38 Configuring the network settings................................................................. Configuring the email system settings ........................................................ Configuring the firewall ............................................................................... Routing outgoing email to the FortiMail Gateway ....................................... Next Steps ..................................................................................................
38 40 43 44 45
FortiMail Gateway in the DMZ ........................................................................ 45 Configuring the network settings................................................................. Configuring the email system settings ........................................................ Configuring the firewall ............................................................................... Routing outgoing email to the FortiMail Gateway ....................................... Next Steps ..................................................................................................
46 48 50 53 53
Configuring transparent mode ....................................................... 55 Switching to transparent mode...................................................................... 55
4
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Contents
Deploying in front of an email server ............................................................ 56 Configuring the network settings ................................................................. Configuring the email system settings ........................................................ Configuring proxies ..................................................................................... Next Steps...................................................................................................
56 57 59 59
Deploying to protect an email hub................................................................. 60 Configuring the network settings ................................................................. Configuring the email system settings ........................................................ Configuring proxies ..................................................................................... Next Steps...................................................................................................
60 61 63 64
Configuring server mode ................................................................ 65 Switching to server mode ............................................................................... 65 Configuring MX records to route incoming email ........................................ 65 FortiMail Server behind a firewall .................................................................. 66 Configuring the network settings ................................................................. Configuring the email system settings ........................................................ Configuring the firewall................................................................................ Next Steps...................................................................................................
67 68 70 72
FortiMail Server in front of a firewall ............................................................. 72 Configuring the network settings ................................................................. Configuring the email system settings ........................................................ Configuring the firewall................................................................................ Next Steps...................................................................................................
72 74 76 77
FortiMail Server in DMZ................................................................................... 78 Configuring the network settings ................................................................. Configuring the email system settings ........................................................ Configuring the firewall................................................................................ Next Steps...................................................................................................
78 80 81 84
Advanced configuration .................................................................. 85 Set the date and time....................................................................................... 85 Updating antivirus signatures ........................................................................ 86 Receiving regular antivirus updates.............................................................. 86 Configuring push updates ........................................................................... 87 Scheduling antivirus updates ...................................................................... 87 Configuring antispam...................................................................................... 88 Black/White lists .......................................................................................... 88 Bayesian scanning ...................................................................................... 90 Heuristic scanning ....................................................................................... 90
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
5
Contents
Create profiles ................................................................................................. 91 Antispam profile .......................................................................................... 91 Antivirus profile ........................................................................................... 92 Applying profiles.......................................................................................... 92 Create policies ................................................................................................. 92 Add users (Server mode)................................................................................ 93 Adding users ............................................................................................... 93 Adding groups............................................................................................. 93 Adding user alias ........................................................................................ 93
Firmware ........................................................................................... 95 Backing up the FortiMail information ............................................................ 95 Back up the configuration ........................................................................... Back up the Bayesian database ................................................................. Back up the Black/White list database ........................................................ Back up the FortiMail mail queue................................................................
95 95 96 96
Using the web-based manager....................................................................... 96 Upgrading the firmware............................................................................... 96 Reverting to a previous firmware version.................................................... 97 Using the CLI ................................................................................................... 97 Upgrading the firmware............................................................................... 97 Reverting to a previous firmware version.................................................... 98 Installing firmware images from a system reboot........................................ 99 Testing a new firmware image before installing it ..................................... 100 Installing and using a backup firmware image........................................... 102
Index................................................................................................ 105
6
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Introduction
Register your FortiMail unit
Introduction Welcome, and thank you for selecting Fortinet products for your real-time network protection. The FortiMail Secure Messaging Platform is an integrated hardware and software solution that provides powerful and flexible antispam, antivirus, email archiving and logging capabilities to incoming and outgoing email traffic. The FortiMail unit has reliable and high performance features for detecting and blocking spam messages and malicious attachments. Built on the Fortinet award winning FortiOS™ and FortiAsic™ technology, the FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats.
Register your FortiMail unit Before your begin, take a moment to register your FortiMail unit(s) by visiting http://support.fortinet.com and select Product Registration. To register, enter your contact information and the serial numbers of the FortiMail units that you or your organization have purchased. You can register multiple FortiMail units in a single session without re-entering your contact information. By registering your FortiMail unit, you will receive antivirus updates and will also ensure your access to technical support, as well as access to new firmware releases. For more information, see the Fortinet Knowledge Centre article “Registration Frequently Asked Questions” (http://kc.forticare.com/default.asp?id=2071).
About the FortiMail unit The FortiMail family of appliances are designed for any business size and requirement, from a Small Business or Small Office Home Office (SOHO) to larger businesses, and deliver the same enterprise-class network-based antivirus and antispam features. FortiMail is an email security system that provides multi-layered protection against blended threats comprised of spam, viruses, worms and spyware. To ensure up to date email protection, FortiMail relies on Fortinet FortiGuard™ antivirus, antispyware and antispam security subscription services that are powered by a worldwide 24x7 Global Threat Research Team. FortiMail provides bi-directional email routing, Quality of Service (QoS), virtualization and archiving capabilities with a lower total cost of ownership.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
7
About this document
Introduction
FortiMail-100 The FortiMail-100 is an easy-to-deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office and branch office applications. The FortiMail-100 delivers reliable and high performance features to detect, tag, and block spam messages and their malicious attachments.
FortiMail-400 The FortiMail-400 is optimized for medium sized enterprise customers, delivering a wealth of reliable and high performance features to detect, tag, and block spam messages and their malicious attachments. The FortiMail-400 features a high-performance hardened operating system with RAID storage system for redundancy and supports a rich set of multi-layered spam detection and filtering technologies with global and per-user spam policies for maximum configuration flexibility.
FortiMail-2000/2000A For larger installations where higher performance and better reliability is required, the FortiMail-2000/2000A system provides the same software features as the FortiMail-400, but with a modular chassis with hot swappable components. Ideal for the most demanding email infrastructures, the FortiMail-2000/2000A system delivers high performance for large enterprises and service providers, which includes the performance capability to scan 6.8 million emails per day, with six hot swappable disk drives with RAID for disk redundancy, and redundant power supplies and fans. Four 10/100/1000 Base-T interfaces, provides the flexibility to connect into many corporate or service provider environments.
FortiMail-4000/4000A For larger installations where higher performance and better reliability is required, the FortiMail-4000/4000A system provides the same software features as the FortiMail-2000. Ideal for the most demanding email infrastructures, the FortiMail-4000/4000A system delivers high performance for large enterprises and service providers, which includes the performance capability to scan 6.8 million emails per day, with 12 hot swappable disk drives with RAID for disk redundancy, and redundant power supplies. Two 10/100/1000 Base-T interfaces, provides the flexibility to connect into many corporate or service provider environments.
About this document This document explains how to install and configure your FortiMail unit onto your network. This document contains the following chapters:
8
•
Installing – Describes setting up, and powering on a FortiMail unit.
•
Email Concepts – Describes the three modes you can select from to operate the FortiMail unit and briefly describes some email terminology for administrators and users new to email administration and setup.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Introduction
FortiMail documentation
•
Configuring gateway mode – Describes a number of network configuration scenarios and how to configure the FortiMail unit and network to operate in this mode.
•
Configuring transparent mode – Describes a number of network configuration scenarios and how to configure the FortiMail unit to operate in this mode.
•
Configuring server mode – Describes a number of network configuration scenarios and how to configure the FortiMail unit and network to operate in this mode.
•
Advanced configuration – Describes next step configurations you need to consider to ensure email is scanned and protected from viruses.
Document conventions The following document conventions are used in this guide: •
In the examples, private IP addresses are used for both private and public IP addresses.
•
Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
!
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Typographic conventions FortiGate documentation uses the following typographical conventions: Convention
Example
Keyboard input
In the Host Name field, type a name for the remote server (for example, Central_Office_1).
CLI command syntax
execute restore image
Document names
FortiMail Administration Guide
Menu commands
Go to Mail Settings > Domains and select Create New.
Program output
Welcome!
Variables
FortiMail documentation Information about the FortiMail unit is available from the following guides: •
FortiMail QuickStart Guide Provides basic information about connecting and installing a FortiMail unit and configuring the unit for use on your network.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
9
Customer service and technical support
Introduction
•
FortiMail Administration Guide Describes how to install, configure, and manage a FortiMail unit in Transparent, Gateway, and Server modes, including how to configure the unit, create profiles and policies, configure antispam and antivirus filters, create user accounts, configure email archiving, and set up logging and reporting.
•
FortiMail Installation Guide Describes how to set up the FortiMail unit in Transparent, Gateway, and Server modes. It also provides information on how to use system settings to view FortiMail unit status and configure how the FortiMail unit connects to your network and to the Internet.
•
FortiMail Online Help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
•
FortiMail Webmail Online Help Describes how to use the FortiMail web-based email client, including how to send and receive email; how to add, import, and export addresses; how to configure message display preferences, and how to manage quarantined email.
Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to [email protected].
Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.
10
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Email Concepts
FortiMail modes
Email Concepts If you are new to FortiMail, or new to the configuration and managing of an email system, this chapter provides basic email concepts and terminology and to configure your FortiMail unit. This chapter provides an overview of the FortiMail unit, the modes it supports and its key features. This chapter will also describe the key terms and concepts that you will use when configuring your FortiMail unit. If you are familiar with email concepts and terminology, you can skip to the section “FortiMail modes” on page 11, which describes the modes of operation available with FortiMail. This chapter contains the following: •
FortiMail modes
•
Email protocols
•
Definitions
FortiMail modes The FortiMail unit can run in one of three modes: •
Gateway mode
•
Transparent mode
•
Server mode.
With Gateway and Transparent mode, the FortiMail unit sits between the firewall and email server and acts as a filter for email passing through it. Depending on how you choose to deploy the FortiMail unit, determines which of these modes best suits your environment. Of the three modes, Server mode functions very differently from Gateway and Transparent mode. With Server mode, the FortiMail unit is the email server as well as the means of scanning the email traffic. For all modes, the FortiMail unit scans email traffic for viruses and spam, and can quarantine suspicious email and attachments.
Gateway mode In gateway mode the FortiMail acts as a fully functional mail relay server. Gateway mode does not provide local mailboxes but does provide a web user interface for managing spam filters (black/white list), auto white lists, and per-user Bayesian database management. In Gateway mode, the FortiMail unit receives incoming email messages, scans for viruses and spam, then passes (relays) the email to the email server for delivery. In this mode, the FortiMail unit can effectively protect your email server as your email server is not visible to outside users. The FortiMail unit can also archive email for backup and monitoring purposes. The FortiMail unit integrates into your existing network with only minor changes to your network configuration. You must also change your MX record to route incoming email to the FortiMail unit for scanning. FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
11
FortiMail modes
Email Concepts
Figure 1: Gateway mode topology
Mail Users (POP3/IMAP/Web Mail)
Hub Mail Server
Internet
Gateway Mode
For example, an ISP deploys a FortiMail unit to protect their customers’ mail servers. Many customers do not want their mail servers to be visible to external users for security reasons. Therefore, the ISP installs the FortiMail unit in Gateway mode to satisfy the need of the customers. The ISP takes advantage of the Gateway mode deployment flexibility and places the FortiMail unit in the DMZ, while keeping the email server safe behind the firewall. For sample configuration information, see the chapter “Configuring gateway mode” on page 29.
Transparent mode In Transparent mode, the FortiMail unit acts as a bridge, providing seamless integration into existing network environments. In Transparent mode, the FortiMail unit provides a flexible and versatile email scanning solution. You can place the FortiMail unit in front of the existing email server without any changes to the existing network topology. This means that all of the FortiMail interfaces are on the same subnet. Transparent mode also provides a web user interface for managing spam filters (black/white list), auto white lists, and per-user Bayesian database management.
12
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Email Concepts
Email protocols
Figure 2: Transparent mode topology Transparent mode Internet Router
Mail Server Mail Users (POP3/IMAP/Web Mail)
For example, a company wants to install a FortiMail unit to protect its mail server. The company installs the FortiMail unit in Transparent mode to avoid changing its MX record to route email to the FortiMail unit, and to simply act as a filter for spam and virus related email. With this mode, the company’s end users do not need to change the mail server setting on their email client. The company also wants its mail server to be visible to the users to increase the company’s popularity. For sample configuration information, see the chapter “Configuring transparent mode” on page 55.
Server mode In server mode the FortiMail unit is a fully functional SMTP, IMAP, POP3 mail server with local mail boxes and an optional WebMail user interface. In addition, the FortiMail Server provides antivirus, antispam, email archiving, and logging and reporting services. For sample configuration information, see the chapter “Configuring server mode” on page 65.
Email protocols An email protocol is a standard method for two ends of a communication channel to transmit and receive information. There are three standard email protocols, POP3, IMAP and SMTP. Each has its own pros and cons, as well as application uses.
POP3 The Post Office Protocol (version 3) enables email users to retrieve their email stored on a mail server. Once email application retrieves the messages, the server removes the message from the server’s hard disk. POP3 transmissions occur over port 110 by default. The advantage of POP3 is that users download their email to their local machine, releasing hard disk space from the server. The disadvantage, is the mail resides on a single computer. Users who use an alternate computer to check email cannot access the mail they viewed, and downloaded, previously.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
13
Definitions
Email Concepts
The FortiMail unit supports the POP3 protocol on port 110 in server mode only. If necessary, you can change the default port in the Mail Settings > Settings menu.
IMAP Internet Message Access Protocol is a method of accessing email messages kept on a remote mail server without downloading the messages to the user’s local computer. All messages remain on the email server’s hard disk. With IMAP only the headers of email messages are downloaded to the user’s email application inbox on their computer. The advantage of this is that it enables a user to access new and saved messages at any time from more than one computer. This is especially useful in situations where more than one person may need to look at an inbox, such as a technical support inbox where a number of technicians monitor for incoming questions. The disadvantage of IMAP storing email messages is the large storage capacity required for storing email and attachments. To free up disk space requires email users to manually clean their inbox. The FortiMail unit supports the IMAP protocol on port 143 in server mode only.
SMTP Simple Mail Transfer Protocol is the standard for sending email between to email servers using port 25. When a user sends an e-mail, a connection between the sending server and the receiving server is established. Both servers communicate to determine whether the recipient user exists, and if the e-mail can be sent. If the email address is legitimate then the transfer of data/email message follows. FortiMail only supports SMTP authentication because it has no local user accounts. Instead, it uses external server types to authenticate e-mail such as POP3. SMTP authentication is enabled during the installation process in server mode only. FortiMail also supports SMTP over SSL/TLS which allows for the exchange of encrypted mail. This feature is available in all three modes.
Definitions When you configure the FortiMail unit by following the steps in the subsequent chapters of this guide, there are a number of terms that you should be familiar with before preceding.
MX record Mail Exchange Records are used to route e-mails to specific destinations. It is an entry in a domain name database such as a Domain Name System or DNS server. A DNS server acts much like a phone book containing data on how to reach different domains and it is usually made accessible by internet server providers (ISP). If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used.
14
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Email Concepts
Definitions
In FortiMail, MX Records are configured by the administrator by going to Mail Settings > Domains. When gateway and server mode are used, the MX Records are changed so that e-mails are routed to the FortiMail unit for scanning before they reach the mail server. In gateway and transparent modes, FortiMail can be set up to protect multiple domains. MX Records are used to identify these domains and are configured by going to Mail Settings > Domains. When an e-mail is sent out, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, [email protected] and acquires the MX Record. Example of MX Record entry: (example.com 3600 IN MX 50 docs.example.com) The MX Record contains the domain and host names (docs.example.com). This information is used to send the e-mail to the recipients mail server which stores it until it is downloaded.
A record The A record is an entry that assigns an internet protocol or IP address to a domain name. Much like a phone number is assigned to a specific name in a phone book entry. IP addresses are used to locate devices such as computers and servers. The A Records are stored and configured on DNS server. The administrator can configure these records using one of several user interfaces depending on the operating system used. Before e-mail is sent out, the email server looks for the recipient’s MX and A Records in the DNS server by the senders mail server. Then using the A record entry, the email server sends the email to the recipient using the corresponding domain name’s IP address. Example of an A record: (docs.example.com IN A 203.254.581)
MTA The Mail Transfer Agent is a software agent or mail server that transfers e-mail messages from one computer to another. It works in the background and in conjunction with email clients. In order to deliver e-mail to the right recipient, the MTA looks up the MX Record and the corresponding A Records in the DNS server. FortiMail functions as an MTA or fully functional SMTP, IMAP, POP3 mail server when configured in server mode. It provides local mail boxes and optional Web Mail user interfaces.
MUA The Mail User Agent refers to a computer application or e-mail client such as Outlook Express that enables users to send and receive e-mail. FortiMail unit provides a web based email client interface. However, FortiMail can be used with any other type of e-mail clients available as well as web based email clients.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
15
Definitions
Email Concepts
White and Black lists While the FortiMail unit and FortiGuard services maintain a large list of known spammers, it is not perfect. In some cases, some mail tagged as spam is an individual you want to receive mail from, while email that is not caught by the spam filters or users you don’t want to receive email from gets through to your inbox. White lists and black lists enable you and users to maintain a list of email addresses that you want (white list) or don’t want (black list) to receive email from. FortiMail enables you and your users to maintain these lists to meet their requirements. Addresses can be added or removed from lists as required. For details on adding a white list and black list, see “Black/White lists” on page 88.
Grey lists Grey listing is a means of reducing spam in a relatively low maintenance manner. There are no IP address lists, email lists, or word lists to keep up to date. The only required list is automatically maintained by the FortiMail unit. When examining an email message, the grey list routine looks at three message attributes: the sender address, the recipient address, and the IP address of the mail server delivering the message. More specifically, the grey list routine examines the envelope from (Mail From:), the envelope recipient (Rctp to:), and the sender IP. If the grey list routine doesn't have a record of a message with these three values, the message is refused and a temporary error is reported to the server attempting delivery. If the sending server sends the message again within a specific time frame, the FortiMail unit will consider the email valid and add it as an accepted sender. If further attempts are not made, the FortiMail unit considers it a spammer. The grey list feature has two compelling attributes: •
Extremely low administrator maintenance.
•
Spam detection routines do not have to be run on mail stopped by grey listing. This can save significant processing and storage resources.
Bayesian scanning Bayesian scanning is a method of teaching the FortiMail unit what is a spam email and what is not. Bayesian training uses Bayes' theorem of probability. Using this theorem the spam filters take into account the type of words used in spam messages versus those that are not. For every word in these email messages, it calculates the probability of a scanned message being spam based on the proportion of spam occurrences. Bayesian training is a manual process by the admin or email users. For each email received, an email user will “tell” the filter whether it is a good email, spam, or a false positive. The more training, that is, the more a user sends email indicating its status, the more efficient the spam filter will be. For details on setting up Bayesian training, see “Bayesian scanning” on page 90.
16
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Email Concepts
Definitions
Heuristic scanning While Bayesian training is a manual procedure of teaching the spam filters what to look for in email messages for spam, the Heuristic filtering uses a scoring technique based on predetermined terms and words. The rules are broken down into 5 categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email. If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly. For more information on configuring Heuristic scanning, see “Heuristic scanning” on page 90.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
17
Definitions
18
Email Concepts
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Installing
Environmental specifications
Installing This chapter provides information on mounting and connecting the FortiMail unit to your network. This chapter includes the following topics: •
Environmental specifications
•
Cautions and warnings
•
Mounting
•
Plugging in the FortiMail unit
•
Turning off the FortiMail unit
•
Connecting to the FortiMail unit
Environmental specifications •
Operating temperature: 32 to 104°F (0 to 40°C) If you install the FortiMail unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, make sure to install the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature.
•
Storage temperature: -13 to 158°F (-25 to 70°C)
•
Humidity: 5 to 90% non-condensing
•
Air flow - For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not compromised.
•
For free-standing installation, make sure that the FortiMail unit has sufficient clearance on each side to allow for adequate air flow and cooling.
Cautions and warnings Review the following cautions before installing your FortiMail unit.
Grounding •
Ensure the FortiMail unit is connected and properly grounded to a lightning and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
•
Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).
•
Do not connect or disconnect cables during lightning activity to avoid damage to the FortiMail unit or personal injury.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
19
Mounting
Installing
Rack mount instructions Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer. Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised. Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading. Circuit Overloading - Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern. Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips). If required to fit into a rack unit, remove the rubber feet from the bottom of the FortiMail unit.
Mounting FortiMail-100 Adhere the rubber feet included in the package to the underside of the FortiMail unit, near the corners of the unit if not already attached. Place the FortiMail unit on any flat, stable surface. Ensure the FortiMail unit has sufficient clearance on each side to ensure adequate airflow for cooling.
FortiMail-400 The FortiMail unit can be placed on any flat surface, or mounted in a standard 19-inch rack unit. When placing the FortiMail unit on any flat, stable surface, ensure the FortiMail unit has sufficient clearance on each side to ensure adequate airflow for cooling. For rack mounting, use the mounting brackets and screws included with the FortiMail unit.
!
20
Caution: To avoid personal injury, you may require two or more people to install the unit in the rack.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Installing
Mounting
To install the FortiMail unit into a rack 1
Attach the mounting brackets to the side to the unit so that the brackets are on the front portion of the FortiMail unit. Ensure that the screws are tight and not loose. The following photos illustrate how the brackets should be mounted. Note that the screw configuration may vary. Figure 3: Installed mounting brackets
2
Position the FortiMail unit in the rack to allow for sufficient air flow.
3
Line up the mounting bracket holes to the holes on the rack, ensuring the FortiMail unit is level.
4
Finger tighten the screws to attach the FortiMail unit to the rack.
5
Once you verify the spacing of the FortiMail unit and that it is level, tighten the screws with a screwdriver. Ensure that the screws are tight and not loose. Figure 4: Mounting in a rack
FortiMail-2000A and FortiMail-4000A To mount the FortiMail unit on a 19 in rack or cabinet, use the slide rails included with the product.
!
Caution: To avoid personal injury or damage to the FortiMail unit, it is highly recommended a minimum of two people perform this procedure.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
21
Mounting
Installing
Mounting requires three steps: •
disassembling the slide rail from the slide housing
•
attaching the slide rail to the sides of the FortiMail unit
•
mounting the FortiMail unit to the rack or cabinet.
Disassembling the slide rail The slide rail assembly has two moving rails within the housing. You need to remove the innermost rail. This rail will attach to the sides of the FortiMail unit. Figure 5: FortiMail side rail Rail housing
Sliding Rail
To remove the side rail 1
Open the slide rails package and remove the rails.
2
Extend the slide rail and locate the slide rail lock.
Rail Lock
22
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Installing
Mounting
3
Push down on the lock while pulling the rail completely out of the slide rail assembly.
4
Repeat these steps for the other slide rail assembly. You will attach this part to the side of the FortiMail unit.
Attaching the slide rail to the FortiMail unit Attach the disconnected slide rails from the previous step to the sides of the FortiMail unit. Use the screws provided with the slide rail package, being sure to securely fasten the rail to the FortiMail chassis.
Mounting the FortiMail unit Mounting the FortiMail-2000A or FortiMail-4000A is a two step process. First, you must attached the slide rail housing to the rack or cabinet, then insert the FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
23
Plugging in the FortiMail unit
Installing
To mount the FortiMail unit 1
Mount the slide rail housing to the rack or cabinet frame. Adjust the outside L-shaped brackets for a proper fit. Ensure that both housings are on the same level to ensure the FortiMail unit can easily glide into place and is level.
2
Use the screws and additional L-brackets if required to securely fasten the housing.
3
Position the FortiMail unit so that the back of the unit is facing the rack, and the slide rails affixed in the previous step line up with the slide rail housing.
4
Gently push the FortiMail unit into the rack or cabinet. You will hear a click when the slide rail lock has been engaged.
5
Push the FortiMail unit until it is fully inserted into the rack.
Plugging in the FortiMail unit FortiMail-100 The FortiMail-100 does not have a power switch. To power on the FortiMail unit 1
Connect the AC adapter to the power connection at the back of the FortiMail unit.
2
Connect the AC adapter to the power cable.
3
Connect the power cable to a power outlet. The FortiMail unit starts and the Power and Status LEDs light up. The Status LEDs flash while the FortiMail unit starts up, and remain lit when the system is running.
FortiMail-400 Use the following steps to connect the power supply to the FortiMail unit. To power on the FortiMail unit 1
Ensure the power switch, located at the back of the FortiMail unit is in the off position, indicated by the “O”.
2
Connect the power cord at the back of the FortiMail unit.
3
Connect the power cable to a power outlet.
4
Set the power switch on the back left of the FortiMail unit to the on position indicated by the “I”. After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running.
24
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Installing
Turning off the FortiMail unit
FortiMail-2000/A and FortiMail-4000/A The FortiMail unit does not have an on/off switch. To power on the FortiMail unit 1
Connect the power cables to the power connections on the back of the FortiMail unit.
2
Connect the power cables to power outlets. Each power cable should be connected to a different power source. If one power source fails, the other may still be operative. After a few seconds, SYSTEM STARTING appears on the LCD. The main menu setting appears on the LCD when the system is running. The FortiMail unit starts and the Power and Status LEDs light up. The Status LEDs flash while the FortiMail unit starts up, and remain lit when the system is running. Note: If only one power supply is connected, an audible alarm sounds to indicate a failed power supply. Press the red alarm cancel button on the rear panel next to the power supply to stop the alarm.
Connecting to the network Using the supplied Ethernet cable, connect one end of the cable to your router or switch. Connect the other end to port 1 on the FortiMail unit.
Turning off the FortiMail unit Always shut down the FortiMail unit properly before turning off the power switch to avoid potential hardware problems. This enables the hard drives to spin down and park correctly and avoid losing data. To power off the FortiMail unit 1
From the web-based manager, go to System > Status.
2
In the System Command display, select Shutdown, or from the CLI enter: execute shutdown
3
Turn off and/or Disconnect the power cables from the power supply.
Connecting to the FortiMail unit There are three methods of connecting and configuring the basic FortiMail settings: •
the web-based manager
•
the command line interface (CLI)
•
the front control buttons and LCD (FortiMail-400 and FortiMail-2000A)
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
25
Connecting to the FortiMail unit
Installing
Web-based manager You can configure and manage the FortiMail unit using HTTP or a secure HTTPS connection from any computer using a recent browser. You can use the web-based manager to configure most FortiMail settings, and monitor the status of the FortiMail unit. Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately, without interrupting service. To connect to the web-based manager, you require: •
a computer with an Ethernet connection
•
any recent version of most popular web browser
•
a crossover Ethernet cable or an Ethernet hub with two Ethernet cables
To connect to the web-based manager 1
Set the IP address of the computer with an Ethernet connection to the static IP address 192.168.1.2 with a netmask of 255.255.255.0.
2
Using the crossover cable or the Ethernet hub and cables, connect the internal interface of the FortiMail unit to the computer Ethernet connection.
3
Start the web browser and browse to the address https://192.168.1.99/admin. (remember to include the “s” in https://) To support a secure HTTPS authentication method, the FortiMail unit ships with a self-signed security certificate, and is offered to remote clients whenever they initiate a HTTPS connection to the FortiMail unit. When you connect, the FortiMail unit displays two security warnings in the browser. The first warning prompts you to accept and optionally install the FortiMail unit’s self-signed security certificate. If you do not accept the certificate, the FortiMail unit refuses the connection. If you accept the certificate, the FortiMail login page appears. The credentials entered are encrypted before they are sent to the FortiMail unit. If you choose to accept the certificate permanently, the warning is not displayed again. Just before the FortiMail login page is displayed, a second warning informs you that the FortiMail certificate distinguished name differs from the original request. This warning occurs because the FortiMail unit redirects the connection. This is an informational message. Select OK to continue logging in.
4
Type admin in the Name field and select Login.
Command line interface You can access the FortiMail command line interface (CLI) by connecting a management computer serial port to the FortiMail serial console connector. You can also use Telnet or an SSH connection to connect to the CLI from any network that is connected to the FortiMail unit, including the Internet. As an alternative to the web-based manager, you can install and configure the FortiMail unit using the CLI. Configuration changes made with the CLI are effective immediately, without interrupting service.
26
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Installing
Connecting to the FortiMail unit
To connect to the FortiMail CLI you require: •
a computer with an available communications port
•
the DB-9 or RJ-45 to DB-9 cable included in your FortiMail package
•
terminal emulation software such as HyperTerminal for Microsoft Windows
Note: The following procedure uses Microsoft Windows HyperTerminal software. You can apply these steps to any terminal emulation program.
To connect to the CLI 1
Connect the console cable to the communications port of your computer and to the FortiMail console port.
2
Start HyperTerminal, enter a name for the connection and select OK.
3
Configure HyperTerminal to connect directly to the communications port on your computer and select OK.
4
Select the following port settings and select OK: Bits per second 9600
5
Data bits
8
Parity
None
Stop bits
1
Flow control
None
Press Enter to connect to the FortiMail CLI. The login prompt appears.
6
Type admin and press Enter twice. The following prompt is displayed: Welcome! Type ? to list available commands. For information about how to use the CLI, see the FortiMail CLI Reference.
LCD front control buttons You can use the front control buttons and LCD on the FortiMail-400 and FortiMail-2000A to configure IP addresses, default gateways and switch operating modes. The LCD shows you what mode you are in without having to go to the command line interface or the web-based manager. This configuration method provides an easy and fast method to configure your FortiMail unit. You can configure: •
IP addresses and netmasks
•
default gateways
•
operating modes
•
restore factory default settings
The front control buttons control how you enter and exit the different menus when configuring the different ports and interfaces. The front control buttons also enables you to increase or decrease each number for configuring IP addresses, default gateway addresses, or netmasks. The following table defines each button and what it does when configuring the basic settings of your FortiMail unit. FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
27
Configuring the FortiMail unit
Installing
Table 1: Front control button definitions Enter
Enables you to move forward through the configuration process.
Esc
Enables you to move backward, or exit out of the menu you are in.
Up
Allows you to increase the number for an IP address, default gateway address or netmask.
Down
Allows you to decrease the number for an IP address, default gateway address or netmask.
Configuring the FortiMail unit Once the FortiMail unit is properly mounted, plugged in and connected to the network, you can configure it onto your network. The FortiMail unit can run in three different modes. Each mode has multiple configuration options depending on where you place the unit within your network infrastructure. Each configuration has unique options and settings.This Install Guide contains a chapter for each mode and their configuration options.
Management modes FortiMail running version 3.0 MR2 and higher of the operating system includes two management modes: basic and advanced. Depending on your familiarity with configuring network email or email appliances, select the mode that best suits your abilities. You can switch between modes at any time without losing any settings. Basic mode enables you to configure the minimum settings to enable antispam and antivirus protection to your network email. Advanced mode provides more robust options, including user configuration, and more detailed antispam and antivirus options. You can use either management mode in all the FortiMail operating modes.
Quick Start wizard If you are new to FortiMail, and this is your first installation, you can use the Quick Start Wizard, available in basic management mode. The Quick Start wizard guides you through the settings necessary to configure the FortiMail unit onto the network, including network configuration, email server configuration, and basic antispam and antivirus options. The Quick Start Wizard is available in all FortiMail operating modes. It is recommended that you select the operating mode before running the Quick Start Wizard, as some options are specific to the operating mode. If you switch operating modes after using the Quick Start Wizard, some configuration settings may be lost or be incomplete.
28
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
Switching to gateway mode
Configuring gateway mode This chapter describes how to configure a FortiMail unit to operate in gateway mode. In gateway mode the FortiMail unit acts as a fully functional mail relay server. The FortiMail unit receives incoming email messages, scans for viruses and spam, then passes (relays) the email to the email server for delivery. This chapter describes common deployment options for a FortiMail unit running in gateway mode. Use these deployment and configuration examples to install the FortiMail unit on your network, or use them as a guide for your own network topology. Additional configuration information and details are available in the Fortimail Administration Guide. All examples use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations. Note: This chapter uses the FortiMail unit in the advanced management mode.
This chapter includes the following: •
FortiMail Gateway behind a firewall
•
FortiMail Gateway in front of a firewall
•
FortiMail Gateway in the DMZ
Switching to gateway mode Use the web-based manager to complete the configuration of the FortiMail unit. You can continue to use the web-based manager for all FortiMail settings. Before you being configuring the FortiMail unit, ensure the mode is in gateway mode. To verify, go to System > Status and check the Operation Mode. To change the operation mode 1
Go to System > Status.
2
Select Change for the Operation Mode.
3
Select Gateway from the list and select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
29
FortiMail Gateway behind a firewall
Configuring gateway mode
FortiMail Gateway behind a firewall The FortiMail unit is positioned behind a FortiGate firewall. With the FortiMail unit set up this way, the firewall blocks any attacks on the FortiMail unit and the email server. Incoming and outgoing email is routed through the FortiMail unit for scanning before being sent to the email server or the Internet. Figure 6: FortiMail Gateway behind firewall
Email Server
Switch
Internal
External
Internet Router
Firewall
DNS Server
Configuring the network settings Use the following table to gather the information you need to customize the gateway mode settings. Table 2: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
30
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway behind a firewall
Default Gateway:
Network settings
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet (address range) as the network and cannot use the same address as another device or computer on the network.
Configuring a static IP address To configure a network interface with a static IP address 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK. If you changed the IP address of the interface that you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet. When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select DHCP.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
31
FortiMail Gateway behind a firewall
Configuring gateway mode
Configuring DNS You need to configure Domain Name System (DNS) server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > DNS.
2
Enter the primary and secondary DNS server IP addresses.
3
Select Apply.
Configuring routing Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically. The gateway address for the route is on the same network as port 1. You need to configure additional routes if any of your email servers are on a different subnet. The gateway you specify is the address of the next hop router that connects to the required network. To configure routing 1
Go to System > Network > Routing.
2
Select Create New to add a new route.
3
Enter the Destination IP address and netmask.
4
Enter the Gateway IP address.
5
Select OK.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings to have this relay occur.
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name. To configure the email system settings
32
1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select OK:
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway behind a firewall
Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is .. For example “mailsvr.company.com”
SMTP Server Port Number
Enter the SMTP port number. The default and standard SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Relay Server Name
Enter a relay server name if your ISP provides a relay email server.
Relay Server Port
Enter the relay server port number if your ISP provides a relay email server.
Configuring MX records to route incoming email Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used. When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record. The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipient’s mail server. In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit. Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server. For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit. Email server
mail.exampledom.com
Current MX record
IN MX mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example: IN MX fm.exampledom.com fm.exampledom.com IN A 172.16.15.2
The A record The second line in the above example is fm.exampledom.com IN A 172.16.15.2 FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
33
FortiMail Gateway behind a firewall
Configuring gateway mode
This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name. Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
Adding a domain You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Enter the IP address or name of the SMTP Server and port number if different than the default 25. Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.company.com
•
dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Enter the domain name including the suffix. For example, company.com.
5
Enter the IP address of the SMTP Server and port number if different than the default 25. Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
34
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway behind a firewall
6
Select Is Subdomain.
7
Select the main domain the local domain is a part of.
8
Select OK.
Configuring the firewall Note: The following steps use a FortiGate firewall device. If you are using a different firewall appliance, consult the appliance’s documentation for completing similar configurations.
With the FortiMail unit behind the FortiGate firewall, you must configure firewall policies on the FortiGate unit to ensure that incoming SMTP traffic goes to the FortiMail Gateway before reaching the email server. To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the FortiGate unit automatically directs the message to the internal IP address of the FortiMail unit. This allows the FortiMail unit to perform antivirus scanning, antispam filtering, and email archiving on the SMTP traffic.
How Virtual IPs work Virtual IP (VIP) addresses enable users from outside a private network to access services inside that network. Under normal circumstances, this is not possible because Internet routers generally do not connect to private IP addresses. For example, a user on the Internet is not able to send an email directly to the FortiMail unit on a company internal network. However, you can configure the FortiGate unit to allow an email message to a company employee to reach the FortiMail unit on a private network from the Internet. The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface. The virtual IP settings indicate a mapping from 192.168.37.4 to 10.10.10.42 so the packets' addresses are changed. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on their way and arrive at the server computer. Note that the FortiGate unit must be in NAT/Route mode to add VIPs. For more information on Virtual IPs, see the FortiGate Administration Guide. To configure a VIP on a FortiGate unit 1
Got to Firewall > Virtual IP.
2
Select Create New.
3
Complete the following and select OK: Name
Enter a name for the FortiMail unit.
External Interface
Select the virtual IP external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
Type
Select Static NAT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
35
FortiMail Gateway behind a firewall
Configuring gateway mode
External IP Address/Range
Enter the external IP address that you want to map to an address on the destination network.
Mapped IP Address/Range
Enter the real IP address on the destination network to which the external IP address is mapped.
Create a incoming traffic firewall policy With the VIP established, create a firewall policy to allow traffic from the FortiGate external interface to the VIP mapping on the internal interface. To create the firewall policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Set the following and select OK: Source Interface/Zone
The FortiGate external interface connected to the Internet.
Source Address Name
ALL
Destination Interface/Zone
The FortiGate internal interface to the network.
Destination Address Select the FortiMail name from the list under Virtual IP. Name Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.
Create an outgoing traffic firewall policy Create an outgoing policy that allows the email from the Fortimail unit to pass through the FortiGate onto the Internet. To create the firewall policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Set the following and select OK: Source Interface/Zone
The FortiGate internal interface connected to the network.
Source Address Name
Select the FortiMail name from the list under Virtual IP.
Destination Interface/Zone
The FortiGate external interface connected to the Internet.
Destination Address Select ALL. Name
36
Schedule
Select ALWAYS.
Service
Select ALL.
Action
Select ACCEPT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway behind a firewall
Routing outgoing email to the FortiMail Gateway The FortiMail unit is now configured to receive incoming email, scan it and send it to the recipient as required. You must also configure the email environment so that the FortiMail unit scans outgoing email, whether its destined for an internal user or a user on the Internet. To do this, you must configure the email client of the user to send email messages to the FortiMail unit. When the FortiMail unit receives the email message, it scans the message for viruses or spam and routes the message to it next destination. To configure a email client to send email to the FortiMail unit, in the email client, configure the outgoing mail server (SMTP) to be the FortiMail unit.
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that you can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
37
FortiMail Gateway in front of a firewall
Configuring gateway mode
FortiMail Gateway in front of a firewall The FortiMail unit is positioned in front of the firewall. With the FortiMail unit set up this way, if the FortiMail gateway is compromised by attacks, the email server and the internal network are not affected. The FortiMail unit however is not protected by the firewall. Figure 7: FortiMail Gateway in front of firewall
Email Server
Internal
External
Switch
Internet Router
Firewall
DNS Server
Configuring the network settings Use the following table to gather the information you need to customize the gateway mode settings. Table 3: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
38
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in front of a firewall
Default Gateway:
Network settings
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network.
Configuring a static IP address To configure a network interface with a static IP address 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK. If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet. When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select DHCP.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
39
FortiMail Gateway in front of a firewall
Configuring gateway mode
Configuring DNS You need to configure DNS server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > DNS.
2
Enter the primary and secondary DNS server IP addresses.
3
Select Apply.
Configuring routing Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically. The gateway address for the route is on the same network as port 1. You need to configure additional routes if any of your email servers are on a different subnet. The gateway you specify is the address of the next hop router that connects to the required network. To configure routing 1
Go to System > Network > Routing.
2
Select Create New to add a new route or select Modify to change the default.
3
Enter the Destination IP address and netmask.
4
Enter the Gateway IP address.
5
Select OK.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name. To configure the email system settings
40
1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select Apply:
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in front of a firewall
Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is .. For example “mailsvr.company.com”
SMTP Server Port Number
Enter the SMTP port number. The default and standard SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Relay Server Name
Enter a relay server name if your ISP provides a relay email server.
Relay Server Port
Enter the relay server port number if your ISP provides a relay email server.
Configuring MX records to route incoming email Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used. When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record. The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipient’s mail server. In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit. Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server. For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit. Email server
mail.exampledom.com
Current MX record
IN MX mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example: IN MX fm.exampledom.com fm.exampledom.com IN A 172.16.15.2
The A record The second line in the above example is fm.exampledom.com IN A 172.16.15.2 FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
41
FortiMail Gateway in front of a firewall
Configuring gateway mode
This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name. Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
Adding a domain You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Enter the IP address or name of the SMTP Server and port number if different than the default 25. Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.company.com
•
dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Enter the domain name including the suffix. For example, company.com.
5
Enter the IP address of the SMTP Server and port number if different than the default 25. Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
42
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in front of a firewall
6
Select Is Subdomain.
7
Select the main domain the local domain is a part of.
8
Select OK.
Configuring the firewall With the FortiMail unit in front of the FortiGate firewall, you must configure policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the email server. You also need a policy so that email sent by internal users passes through the firewall for scanning by the FortiMail unit before sending to the Internet. Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring the FortiMail policy Create a firewall policy that permits all SMTP traffic on port 25 to pass from the FortiMail unit, through the firewall and direct it to the email server. First, you must create an address entries on the FortiGate unit that identifies the FortiMail unit and the email server. To create an address for the FortiMail unit, on the FortiGate unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select the interface for the FortiGate unit connected to the Internet.
To create an address for the email server, on the FortiGate unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the email server.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the email server.
Interface
Select the interface for the FortiGate unit connected to the email server.
Next, create the incoming email firewall policy so the email from the FortiMail goes to the email server.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
43
FortiMail Gateway in front of a firewall
Configuring gateway mode
To configure the incoming policy, on the FortiGate unit 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone
Select the external interface connected to the Internet.
Source Address Name
Select the FortiMail address from the list.
Destination Interface/zone
Select the internal interface connected to the network.
Destination Address Name
Select the Email server from the list.
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the user send policy You also need to add a firewall policy so that email users can send email to the FortiMail unit for scanning before sending an email message over the Internet. Note that the policy is not using the email server address. All traffic passes through the FortiMail unit before going through the firewall. To configure the outgoing policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone
Select the internal interface connected to the network.
Source Address Name Select ALL so that all users can send email messages through the policy. Destination Interface/zone
Select the external interface connected to the Internet.
Destination Address Name
Select the FortiMail unit from the list.
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Routing outgoing email to the FortiMail Gateway The firewall and FortiMail unit are now configured to receive incoming email, scan and send to the recipient as required, and email users can send email, which the FortiMail unit will scan before sending it to the Internet. You must also configure the email client software so that it sends outgoing email to the FortiMail unit to scan outgoing email, whether its destined for an internal user or a user on the Internet. To configure a email client to send email to the FortiMail unit, in the email client, configure the outgoing mail server (SMTP) to be the FortiMail unit.
44
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in the DMZ
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Gateway in the DMZ The FortiMail unit is positioned in the DMZ of the firewall appliance. With the FortiMail unit set up this way, the FortiMail is protected by the firewall, and if the FortiMail unit is compromised by attacks, the internal network and email server are not affected. Figure 8: FortiMail Gateway in DMZ
Email Server
Internal Switch
External DMZ
Internet Router
DNS Server
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
45
FortiMail Gateway in the DMZ
Configuring gateway mode
Configuring the network settings Use the following table to gather the information you need to customize the gateway mode settings. Table 4: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to the DMZ interface of the firewall appliance. The IP address of Port 1 must be on the same subnet as the DMZ network and cannot use the same address as another device or computer on the network. Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address To configure a network interface with a static IP address
46
1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in the DMZ
If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet. When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select DHCP.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
Configuring DNS You need to configure Domain Name System (DNS) server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > DNS.
2
Enter the primary and secondary DNS server IP addresses.
3
Select Apply.
Configuring routing Configure routing on the FortiMail unit to define the route that enables the FortiMail unit to contact the DNS server. If you configured your interfaces dynamically using DHCP, the FortiMail unit configures a default route automatically. The gateway address is the IP address of the firewall interface on the same network as this FortiMail interface. FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
47
FortiMail Gateway in the DMZ
Configuring gateway mode
To configure routing 1
Go to System > Network > Routing.
2
Select Create New to add a new route or select Modify to change the default.
3
Enter the Destination IP address and netmask.
4
Enter the Gateway IP address.
5
Select OK.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name. To configure the basic email system settings 1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select Apply: Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's Fully Qualified Domain Name (FQDN) is .. For example “mailsvr.company.com”
SMTP Server Port Number
Enter the SMTP port number. The default and standard SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Relay Server Name
Enter a relay server name if your ISP provides a relay email server.
Relay Server Port
Enter the relay server port number if your ISP provides a relay email server.
Configuring MX records to route incoming email Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used. When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record. The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipient’s mail server.
48
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in the DMZ
In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit. Route incoming email to the FortiMail unit by changing the MX record to point to the FortiMail domain rather than the email server. For example, using the information from the table below, change the existing MX record currently pointing to the email server, to point to the FortiMail unit. Email server
mail.exampledom.com
Current MX record
IN MX mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
Change the existing MX record for mail.exampledom.com to point to the FortiMail unit. For example: IN MX fm.exampledom.com fm.exampledom.com IN A 172.16.15.2
The A record The second line in the above example is fm.exampledom.com IN A 172.16.15.2 This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name. Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
Adding a domain You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Enter the IP address or name of the SMTP Server and port number if different than the default 25. Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5
Select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
49
FortiMail Gateway in the DMZ
Configuring gateway mode
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.company.com
•
dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Enter the domain name including the suffix. For example, company.com.
5
Enter the IP address of the SMTP Server and port number if different than the default 25. Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
6
Select Is Subdomain.
7
Select the main domain the local domain is a part of.
8
Select OK.
Configuring the firewall With the FortiMail unit in the DMZ of the FortiGate firewall, you must configure policies to ensure that incoming SMTP traffic scanned by the FortiMail unit goes to the email server, and email sent by internal users via the email server passes through the firewall for scanning by the FortiMail unit before sending to the Internet. Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring the FortiMail policy Create a firewall policy that permits all SMTP traffic on port 25 to pass from the FortiMail unit, through the firewall and direct it to the email server. First, you must create address entries for the FortiMail unit and the email server. To create an address for the FortiMail unit, on the FortiGate unit
50
1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK:
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in the DMZ
Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select the DMZ interface on the FortiGate unit.
To create an address for the email server, on the FortiGate unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the email server.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the email server.
Interface
Select the interface for the FortiGate unit connected to the internal network.
Next, create the incoming email firewall policies. Two policies are required for the incoming mail. One to route the email from the external interface of the FortiGate unit to the DMZ interface where the FortiMail unit is. A second policy enables email scanned by the FortiMail unit to go from the DMZ interface to the internal interface on the network. To configure the incoming policy from the external interface to the DMZ interface, on the FortiGate unit 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the external interface connected to the Internet. Source Address Name
Select the external address for the internet.
Destination Interface/zone
Select the DMZ interface connected to the network.
Destination Address Select FortiMail from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
51
FortiMail Gateway in the DMZ
Configuring gateway mode
To configure the incoming policy from the DMZ interface to the internal interface, on the FortiGate unit 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the DMZ interface connected to the FortiMail unit. Source Address Name
Select the FortiMail address from the list.
Destination Interface/zone
Select the internal interface connected to the network.
Destination Address Select the email server from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the user send policy You also need to add a firewall policy for end users to send email to the FortiMail unit for scanning before sending an email message over the Internet.Two policies are required for the outgoing mail. One to route the email from the internal interface of the FortiGate unit to the DMZ interface where the FortiMail unit is. A second policy enables email scanned by the FortiMail unit to go from the DMZ interface to the external interface and out to the Internet. To configure the outgoing policy from the internal interface to the DMZ interface, on the FortiGate unit 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
Select ALL so that all users can send email messages through the policy.
Destination Interface/zone
Select the DMZ interface connected to the FortiMail unit.
Destination Address Select the FortiMail unit from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
To configure the outgoing policy from the DMZ interface to the external interface, on the FortiGate unit
52
1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring gateway mode
FortiMail Gateway in the DMZ
Source Interface/zone Select the DMZ interface connected to the network. Source Address Name
Select the FortiMail unit from the list.
Destination Interface/zone
Select the external interface connected to the FortiMail unit.
Destination Address Select the external address for the internet. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Routing outgoing email to the FortiMail Gateway The firewall and FortiMail unit are now configured to receive incoming email, scan and send to the recipient as required. You must also configure the email clients so that the client software sends outgoing email to the FortiMail unit to scan outgoing email, whether its destined for an internal user or a user on the Internet. To configure a email client to send email to the FortiMail unit, in the email client, configure the outgoing mail server (SMTP) to be the FortiMail unit.
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
53
FortiMail Gateway in the DMZ
54
Configuring gateway mode
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring transparent mode
Switching to transparent mode
Configuring transparent mode This chapter describes how to configure a FortiMail unit to operate in transparent mode. In transparent mode, the FortiMail unit acts as a bridge, providing seamless integration into existing network environments as the FortiMail unit scans email traffic to and from the email server. Both offer effective email scanning and security. Use these deployment and configuration examples to install the FortiMail unit on your network, or use them as a guide for your own network topology. Additional configuration information and details are available in the Fortimail Administration Guide. Note: This chapter uses the FortiMail unit in the advanced management mode.
This chapter includes the following: •
Deploying in front of an email server
•
Deploying to protect an email hub
Switching to transparent mode Use the web-based manager to complete the configuration of the FortiMail unit. You can continue to use the web-based manager for all FortiMail settings. Before you begin, ensure the FortiMail unit is in transparent mode. If not, switch over to this mode. To switch to transparent mode 1
Go to System > Status.
2
Select Change beside the Operation Mode.
3
Select Transparent in the Operation Mode list.
4
Select Apply. The FortiMail unit reboots and resets all configuration to the factory defaults.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
55
Deploying in front of an email server
Configuring transparent mode
Deploying in front of an email server A common configuration of the FortiMail unit in transparent mode is to place the Fortimail unit in front of the mail server. The FortiMail unit scans email travelling to and from the email server. You can use the FortiMail unit using many of the default settings and only minor configuration. Figure 9: Typical FortiMail deployment in transparent mode Transparent mode Internet Router
Mail Server Mail Users (POP3/IMAP/Web Mail)
This section includes the following topics: •
Configuring the network settings
•
Configuring the email system settings
•
Configuring proxies
Configuring the network settings Use the following table to gather the information you need to customize transparent mode settings. Table 5: Transparent mode settings Administrator Password: Management IP
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. DNS Settings
Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
Configuring the management IP In transparent mode, the FortiMail unit has a management IP address for administrative access. The FortiMail unit also uses this IP address to connect to the FortiGuard Distribution Network for virus definition updates.
56
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring transparent mode
Deploying in front of an email server
To configure the management interface 1
Connect to the web-based manager using the default address, https://192.168.1.99/admin.
2
Go to System > Network > Management IP.
3
Enter the new management IP address and netmask.
4
Select Apply. Reconnect to the web-based manager using the new management IP address.
Configuring DNS You need to configure DNS server addresses so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > DNS.
2
Enter the primary and secondary DNS server IP addresses.
3
Select Apply.
Configuring routing At a minimum, you need to define a route that enables the FortiMail unit to contact the DNS server. You need to configure additional routes if any of your email servers are on a different network than the FortiMail unit and the DNS server. The gateway you specify is the address of the next hop router that connects to the required network. To configure FortiMail unit routing 1
Go to System > Network > Routing.
2
Select Create New.
3
Enter the Destination IP, Netmask and Gateway.
4
Select OK.
Configuring the email system settings The FortiMail unit can scan email for viruses and spam as they come and go to the email server. You need to configure basic email system settings and email access permissions so that the email messages pass through the FortiMail unit.
Configuring basic email system settings Configure the basic email system settings, including host name and domain name to provide successful email routing.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
57
Deploying in front of an email server
Configuring transparent mode
To configure the basic email system settings 1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select Apply: Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain name of your email server. The FortiMail unit's FQDN is ..
SMTP Server Port Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Adding a domain You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Enter the IP address or name of the SMTP Server and port number if different than the default 25. Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.company.com
•
dev.company.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
58
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring transparent mode
Deploying in front of an email server
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Enter the domain name including the suffix. For example, company.com.
5
Enter the IP address of the SMTP Server and port number if different than the default 25. Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
6
Select Is Subdomain.
7
Select the main domain the local domain is a part of.
8
Select OK.
Configuring proxies Proxy servers act as a buffer between the network and the Internet. Proxy servers between user workstations and the Internet ensure security and administrative control and to access resources stored on the proxy. In transparent mode, the SMTP proxy settings determine whether email is dropped, passed through, or proxied. These settings apply to all email except those destined for the FortiMail unit itself, such as email from users requesting deletion or release of quarantined email. Email can be scanned only if they are proxied. The FortiMail unit receives the email, scans it and (if the email passes the scan) relays it to the email server. You configure proxy operation separately for incoming and outgoing email traffic. Regardless of the destination email address, email passing from the network to the back end email server is considered incoming and email passing from the back end email server to the network is considered outgoing. For a typical transparent mode installation, the default proxy options are appropriate. Should you need to modify the proxies, go to Mail Settings > Proxies to configure the email connections through the ports. For details on the proxy settings, see the FortiMail Administration Guide.
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that you can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
59
Deploying to protect an email hub
Configuring transparent mode
Deploying to protect an email hub In this configuration, the email servers (Domain “A” and Domain “B”) in each WAN location are required to send email externally through the head office email server only. The head office mail server encrypts the outgoing email. The firewall will only pass SMTP traffic from the headquarters email server. This configuration requires a modification of the default operation of the FortiMail unit. By default, the FortiMail unit acts as an SMTP server to relay email, even if the email client names a domain email server as its SMTP server. With this configuration, the domain mail servers send email to the hub email server for encryption. The FortiMail unit must be configured to pass the encrypted email messages. Figure 10: FortiMail unit deployed to protect an email hub
Router Internet
Port 1
Head Office Mail Server Hub
WAN
Port 2
Mail Server Domain “A”
Mail Server Domain “B”
This section includes the following topics: •
Configuring the network settings
•
Configuring the email system settings
•
Configuring proxies
Configuring the network settings Use Table 6 on page 60 to gather the information you need to customize transparent mode settings. Table 6: Transparent mode settings Administrator Password: Management IP
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. DNS Settings
60
Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring transparent mode
Deploying to protect an email hub
Configuring the management IP In transparent mode, the FortiMail unit has a management IP address for administrative access. The FortiMail unit also uses this IP address to connect to the FortiGuard Distribution Network for virus definition updates. Configure the management IP. To configure the management interface 1
Connect to the web-based manager using the default address, https://192.168.1.99/admin.
2
Go to System > Network > Management IP.
3
Enter the new management IP address and netmask.
4
Select Apply. Reconnect to the web-based manager using the new management IP address.
Configuring DNS You need to configure DNS server addresses so that FortiMail can send and receive email. DNS server IP addresses are typically provided by your internet service provider. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. In simple terms, it acts as a phone book for the Internet. To add DNS server IP addresses 1
Go to System > Network > DNS.
2
Enter the primary and secondary DNS server IP addresses.
3
Select Apply.
Configuring routing At a minimum, you need to define a route that enables the FortiMail unit to contact the DNS server. You need to configure additional routes if any of your email servers are on a different network than the FortiMail unit and the DNS server. The gateway you specify is the address of the next hop router that connects to the required network. To configure FortiMail unit routing 1
Go to System > Network > Routing.
2
Select Create New.
3
Enter the Destination IP, Netmask and Gateway.
4
Select OK.
Configuring the email system settings The FortiMail unit can scan email for viruses and spam as they come and go to the email server. You need to configure basic email system settings and email access permissions so that the email messages pass through the FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
61
Deploying to protect an email hub
Configuring transparent mode
Configuring basic email system settings Configure the basic email system settings, including host name and domain name to provide successful email routing. To configure the basic email system settings 1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select Apply: Host Name
Enter the name for the FortiMail unit.
Local Domain Name
Enter the local domain name. It must be different from the domain name of the hub email server. The FortiMail unit's FQDN is ..
Relay Server Name
Enter a relay server name if your ISP provides a relay email server.
SMTP Server Port Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
Adding a domain You create domains to define the email server(s) that the FortiMail unit protects. Usually, you configure at least one domain as part of your installation. You can add more domains or modify the settings of existing ones as needed. It is good form to configure a local domain name that is different from the domain name of your back end mail server. The local domain name will be used by many FortiMail features such as email quarantine, Bayesian database training, spam reports, and DSN notifications. A sub domain of the protected domain is recommended for the local domain because of the domain registration savings. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Enter the IP address or name of the SMTP Server and port number if different than the default 25. Entering the email server IP address or server name tells the FortiMail gateway where the email server is to route mail to it.
5
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example:
62
•
accouting.company.com
•
dev.company.com. FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring transparent mode
Deploying to protect an email hub
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Enter the domain name including the suffix. For example, company.com.
5
Enter the IP address of the SMTP Server and port number if different than the default 25. Entering the email server IP address tells the FortiMail gateway where the email server is to route mail to it.
6
Select Is Subdomain.
7
Select the main domain the local domain is a part of.
8
Select OK. The FortiMail unit must relay all email through the head office email hub; outgoing and incoming. You must ensure that the FortiMail unit passes the email to the correct domain email server. After configuring the domain, edit the domain information to configure additional settings to make the FortiMail unit transparent to the email servers To configure the transparent options
1
Go to Mail Settings > Domains.
2
Select the Edit icon for the email domain.
3
Go to the Transparent Mode Options section, configure the following settings and select OK: This server is on
Select the port connected to the email server hub. In this example, it is port 1.
Hide the transparent Select to enable the FortiMail unit to hide its presence by using the IP address of the domain email server or client as required. box Use the domain server to deliver the email
Select to relay email to the domain server the email sender specified WAN domain. If not selected, the FortiMail unit relays the email directly to the email destination domain, which is not desired in this example.
Configuring proxies Proxy servers act as a buffer between the network and the Internet. Proxy servers between user workstations and the Internet ensure security and administrative control and to access resources stored on the proxy. In transparent mode, the SMTP proxy settings determine whether email is dropped, passed through, or proxied. These settings apply to all email except those destined for the FortiMail unit itself, such as email from users requesting deletion or release of quarantined email.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
63
Deploying to protect an email hub
Configuring transparent mode
Email can be scanned only if they are proxied. The FortiMail unit receives the email, scans it and (if the email passes the scan) relays it to the email server. You configure proxy operation separately for incoming and outgoing email traffic. Regardless of the destination email address, email passing from the network to the back end email server is considered incoming and email passing from the back end email server to the network is considered outgoing. This example requires the FortiMail interface to act as a proxy so that the FortiMail unit can scan email passing through to the email. Also, the email must simply pass through the FortiMail unit when the hub email server relays an email message to another domain email server on the network or on the Intranet. It is also important to prevent SMTP clients using the FortiMail unit itself as an SMTP server. The proxy settings will enable this flexibility. To configure SMTP proxy settings 1
Go to Mail Settings > Proxies.
2
Configure the following and select Apply: Port 1 Incoming SMTP connections
are passed through
Outgoing SMTP connections
are passed through
Local SMTP connections
are allowed
Port 2 Incoming SMTP connections
are proxied
Outgoing SMTP connections
are proxied
Local SMTP connections
are not allowed
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that you can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
64
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
Switching to server mode
Configuring server mode This chapter describes how to configure a FortiMail unit to operate in server mode. In server mode the FortiMail acts as a fully functional email server. Use these deployment and configuration examples to install the FortiMail unit on your network, or use them as a guide for your own network topology. Additional configuration information and details are available in the Fortimail Administration Guide. All examples use a FortiGate firewall device. If you are using an alternate firewall, consult the appliances documentation for completing similar configurations. Note: This chapter uses the FortiMail unit in the advanced management mode.
This chapter includes the following: •
Switching to server mode
•
Configuring MX records to route incoming email
•
FortiMail Server behind a firewall
•
FortiMail Server in front of a firewall
•
FortiMail Server in DMZ
Switching to server mode Before you being configuring the FortiMail unit, ensure the mode is in server mode. To verify, go to System > Status and check the Operation Mode. To change the operation mode 1
Go to System > Status.
2
Select Change for the Operation Mode.
3
Select Server from the list and select OK.
Configuring MX records to route incoming email Mail Exchange (MX) Records are used to route email to specific destinations. It is an entry in a domain name database such as a DNS server. If a local DNS server exists, MX Records can be added or changed on the DNS server using one of several user interfaces depending on the operating system used. When a user sends an e-mail, the sender’s mail server performs a DNS lookup using the recipients domain name, for example, “example.com” in the email address “[email protected]”, and acquires the MX Record. The MX Record contains the domain and host names. The sending mail server uses this information to send the e-mail to the recipient’s mail server. FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
65
FortiMail Server behind a firewall
Configuring server mode
In order to route incoming email through the FortiMail unit for scanning, you need to register a Fully Qualified Domain Name (FQDN), for example, fm.exampledom.com, and a global IP address for the FortiMail unit. For example, using the information from the table below, configure the MX record to point to the FortiMail email server. Email server
mail.exampledom.com
FortiMail hostname
fm.exampledom.com
FortiMail IP address
172.16.15.2
For example: IN MX fm.exampledom.com fm.exampledom.com IN A 172.16.15.2
The A record The second line in the above example is fm.exampledom.com IN A 172.16.15.2 This is an address record, or commonly called, an A record. It is a type of DNS entry that assigns an IP address to a domain name. Before e-mail is sent out, the MX and A Records for the recipient are looked up in the DNS server by the senders mail server. Then using the A record entry, the email is sent to the recipient using the corresponding domain name’s IP address.
FortiMail Server behind a firewall The FortiMail unit is positioned behind a firewall. With the FortiMail unit set up this way, the firewall blocks any attacks on the FortiMail unit. Figure 11: FortiMail Server behind firewall
Switch
Internal
External
Internet Router
Firewall
DNS Server
66
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server behind a firewall
Configuring the network settings Use the following table to gather the information you need to customize the server mode settings. Table 7: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network. Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address To configure a network interface with a static IP address 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK. If you changed the IP address of the interface that you are connected to, you must reconnect to the web-based manager using the new IP address.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
67
FortiMail Server behind a firewall
Configuring server mode
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet. When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
In the Addressing Mode section, select DHCP. The FortiMail unit attempts to contact the DHCP server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
Configuring DNS and default gateway You need to configure DNS server addresses and default gateway so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > Network.
2
Enter the primary and secondary DNS server IP addresses.
3
Enter the default gateway address. The default gateway address will be the firewall interface on the same network as the Fortimail interface.
4
Select Apply.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
68
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server behind a firewall
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name. To configure the basic email system settings 1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information: Host Name
Enter the name for the FortiMail unit.
POP3 Server Port Number
Enter the port number for the POP3 server. The default is 110.
SMTP Server Port Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. You can change it if needed. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. SMTP over SSL/TLS must be enabled.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP server, they require a user name and password.
3
Select the blue arrow for Relay server to expand the options.
4
Enter a relay server name, port and authentication if your ISP provides a relay email server.
5
Select Apply.
Adding a domain Create a domain entry for server. Ensure you use the same domain you used when setting up the MX record. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Select Advanced Settings to configure LDAP mail routing.
5
Select Advanced AS/AV to configure anti-spam and anti-virus options.
6
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accounting.example.com
•
dev.example.com.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
69
FortiMail Server behind a firewall
Configuring server mode
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Select Is Subdomain and select the main domain the local domain is a part of.
5
Complete the LDAP authentications if required.
6
Select OK.
Add a test user Add one or two test users to the FortiMail server so you can verify that an email client can send and receive mail with FortiMail. To add a test user 1
Go to User > Mail User.
2
Select Create New.
3
Complete the following and select OK: User Name
Enter the username with no spaces.
Password
Enter a password for the user.
Display Name
Enter the name that appears in the email client as the sender.
Configuring the firewall With the FortiMail unit behind the FortiGate firewall, you must configure policies and to ensure that incoming SMTP traffic goes to the FortiMail unit, and outgoing SMTP traffic passes through the firewall. To accomplish this, configure a virtual IP address (VIP) on the FortiGate unit for the FortiMail unit. When the FortiGate unit receives traffic destined for the VIP, the FortiGate unit automatically directs the message to the internal IP address of the FortiMail unit. Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring the incoming mail policy Create a firewall policy that permits all SMTP traffic on port 25 to pass from the internet to the FortiMail unit. First, you must create an address entry for the FortiMail unit.
70
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server behind a firewall
To create an address for the FortiMail unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select the interface for the FortiGate unit connected to the Internet.
To configure the incoming policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the external interface connected to the Internet. Source Address Name
Select ALL to enable all incoming email messages.
Destination Interface/zone
Select the internal interface connected to the network.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the outgoing mail policy You also need to add a firewall policy for FortiMail unit to send email to the Internet. To configure the outgoing policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
Select the FortiMail unit from the list.
Destination Interface/zone
Select the external interface.
Destination Address Select ALL. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
71
FortiMail Server in front of a firewall
Configuring server mode
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Server in front of a firewall The FortiMail unit is positioned in front of the firewall. The benefit of this setup is that if the Server is compromised by attacks, your internal network is not jeopardized. However, the Server is not protected by the firewall. Figure 12: FortiMail Server in front of firewall
To Internal Network Internal
External
Switch
Internet Router
Firewall
DNS Server
Configuring the network settings Use the following table to gather the information you need to customize the server mode settings. Table 8: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
72
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in front of a firewall
Port 4
Port 5
Port 6
Network settings
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network. Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address To configure a network interface with a static IP address 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK. If you changed the IP address of the interface you are connecting to, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
73
FortiMail Server in front of a firewall
Configuring server mode
When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
In the Addressing Mode section, select DHCP. The FortiMail unit attempts to contact the DHCP server to set the IP address, netmask, default gateway IP address, and DNS server IP addresses.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
Configuring DNS and default gateway You need to configure DNS server addresses and default gateway so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > Network.
2
Enter the primary and secondary DNS server IP addresses.
3
Enter the default gateway address. The default gateway address will be the address of the router connected to the Internet.
4
Select Apply.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name.
74
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in front of a firewall
To configure the basic email system settings 1
Go to Mail Settings > Settings > Local Host.
2
Enter the following information and select Apply: Host Name
Enter the name for the FortiMail unit.
POP3 Server Port Number
Enter the port number for the POP3 server. The default is 110.
SMTP Server Port Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must enable SMTP over SSL/TLS to set this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP server, they require a user name and password.
3
Select the blue arrow for Relay server to expand the options.
4
Enter a relay server name, port and authentication if your ISP provides a relay email server.
5
Select Apply.
Adding a domain Create a domain entry for server. Ensure you use the same domain you used when setting up the MX record. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Select Advanced Settings to configure LDAP mail routing.
5
Select Advanced AS/AV to configure anti-spam and anti-virus options.
6
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.example.com
•
dev.example.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
75
FortiMail Server in front of a firewall
Configuring server mode
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Select Is Subdomain and select the main domain the local domain is a part of.
5
Complete the LDAP authentications if required.
6
Select OK.
Configuring the firewall With the FortiMail unit in front of the FortiGate firewall, you must configure policies and to ensure that incoming and outgoing SMTP traffic passes through the firewall to the users on the network. You also need a policy to pass traffic from the users to the FortiMail unit, which then sends the message on to the Internet. Both policies have the internal users as the source of the email traffic. In both receiving and sending email, the user’s email client initiates the connection to the FortiMail server, thus starting the communication (the source). Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring the incoming mail policy Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass to users on the internal network. First, you must create an address entry for the FortiMail unit and the email server. To create an address for the FortiMail unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select the interface for the FortiGate unit connected to the Internet.
The incoming policy is a POP3 policy that allows users to send requests to the FortiMail unit for new mail on the FortiMail server. To configure the incoming policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
76
Select ALL for all internal users on the internal network.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in front of a firewall
Destination Interface/zone
Select the external interface connected to the Internet or router.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.
Configure the outgoing mail policy Add a firewall policy for internal users to send email messages to the FortiMail mail server for scanning and sending to destinations on the Internet. To configure the outgoing policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
Select ALL for all internal users on the internal network.
Destination Interface/zone
Select the external interface connected to the Internet or router.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
77
FortiMail Server in DMZ
Configuring server mode
FortiMail Server in DMZ The FortiMail unit is positioned in the DMZ. The benefit of this setup is that the FortiMail unit is protected by the firewall, and if the Server is compromised by attacks, the internal network is not jeopardized. Figure 13: FortiMail Server in DMZ
To Internal Network
Internal
External DMZ
Internet Router
DNS Server
Configuring the network settings Use the following table to gather the information you need to customize the server mode settings. Table 9: Gateway mode settings Administrator Password: Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Network settings
78
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
IP:
_____._____._____._____
Netmask:
_____._____._____._____
Default Gateway:
_____._____._____._____
The management IP address and netmask must be valid for the network from which you will manage the Fortimail unit. Add a default gateway if the FortiMail unit must connect to a router to reach the management computer. Primary DNS Server:
_____._____._____._____
Secondary DNS Server:
_____._____._____._____
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in DMZ
You must configure at least one network interface to connect the FortiMail unit to the network. Connect the Port 1 interface to your internal network hub or switch. The IP address of Port 1 must be on the same subnet as the network and cannot use the same address as another device or computer on the network. Assign a static IP address or configure the interface for dynamic IP address assignment using DHCP if the network supports it.
Configuring a static IP address To configure a network interface with a static IP address 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
Select Manual Addressing Mode.
4
Enter the IP address and netmask.
5
Select OK. If you changed the IP address of the interface to which you are connecting to manage the FortiMail unit, you must reconnect to the web-based manager using the new IP address.
Configuring an interface for DHCP You can configure any FortiMail interface to acquire its IP address from a Dynamic Host Configuration Protocol (DHCP) server. Your Internet Service Provider (ISP) may provide IP addresses using one of these protocols. DHCP is used to obtain IP addresses from a DHCP server, such a from your ISP. Obtaining an IP address from a DHCP server ensures that the IP address for the FortiMail unit is unique and not assigned to another device, such as your FortiGate unit or other firewall device that is also connected directly to the Internet. When configured, the FortiMail unit automatically broadcasts a DHCP request. By default, the FortiMail unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable this option if required to configure them manually. To configure an interface for DHCP 1
Go to System > Network > Interface.
2
Select Modify for Port 1.
3
In the Addressing Mode section, select DHCP. The FortiMail unit attempts to contact the DHCP server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses.
4
If required, select Retrieve default gateway and DNS from server to disable this option.
5
Select OK.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
79
FortiMail Server in DMZ
Configuring server mode
Configuring DNS and default gateway You need to configure DNS server addresses and default gateway so that FortiMail unit can send and receive email. DNS server IP addresses are typically provided by your internet service provider. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com. The DNS server translates this name to a mail exchange server IP address to deliver an email message. To add DNS server IP addresses 1
Go to System > Network > Network.
2
Enter the primary and secondary DNS server IP addresses.
3
Enter the default gateway address. The default gateway address will be the DMZ address.
4
Select Apply.
Configuring the email system settings The FortiMail unit relays email after scanning for viruses and spam. You need to configure basic email system settings and email access permissions.
Configuring basic email system settings Configure the FortiMail unit basic email system settings, including host name and domain name. To configure the email system settings 1
Go to Mail Settings > Settings > Settings.
2
Enter the following information and select Apply: Host Name
Enter the name for the FortiMail unit.
POP3 Server Port Number
Enter the port number for the POP3 server. The default is 110.
SMTP Server Port Number
Enter the SMTP port number. The default SMTP port number is 25.
SMTP over SSL/TLS
Enable to accept SSL/TLS encrypted email from servers that have enabled Use SSL/TLS if available. Otherwise, the FortiMail SMTP server receives plain text email.
SMTPS Server Port Number
The default port number is 465. This allows the encrypted SMTP traffic to pass through the SMTPS Server Port. You must set SMTP over SSL/TLS before setting this option.
SMTP Authentication Select to enable authentication. When a user logs into the SMTP server, they require a user name and password.
80
3
Select the blue arrow for Relay server to expand the options.
4
Enter a relay server name and authentication if your ISP provides a relay email server.
5
Select Apply.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in DMZ
Adding a domain Create a domain entry for server. Ensure you use the same domain you used when setting up the MX record. To add a domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the domain name including the suffix. For example, company.com.
4
Select Advanced Settings to configure LDAP mail routing.
5
Select Advanced AS/AV to configure anti-spam and anti-virus options.
6
Select OK.
Creating local domains Add multiple local email domains on the FortiMail unit if required for different departments in your organization at the same or different locations. For example: •
accouting.example.com
•
dev.example.com.
Once created, you can add users to the local domain. For information on adding email users to a local domain, see the FortiMail Administration Guide. Note: Deleting a domain also deletes all email users in that domain.
To create a local domain 1
Go to Mail Settings > Domains.
2
Select Create New.
3
Enter the local domain name.
4
Select Is Subdomain and select the main domain the local domain is a part of.
5
Complete the LDAP authentications if required.
6
Select OK.
Configuring the firewall With the FortiMail unit in the DMZ, you must configure policies to ensure that incoming POP3 and outgoing SMTP traffic passes through the firewall to the users on the network and so that the FortiMail unit can send and receive SMTP traffic to and from the Internet. Note: The following steps use a FortiGate firewall device. If you are using an alternate firewall appliance, consult the appliance’s documentation for completing similar configurations.
Configuring the incoming mail policy Create a firewall policy that permits all SMTP traffic from the Internet to pass through the firewall and arrive at the FortiMail unit on the DMZ interface. First, you must create an address entry for the FortiMail unit.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
81
FortiMail Server in DMZ
Configuring server mode
To create an address for the FortiMail unit 1
Go to Firewall > Address.
2
Select Create New.
3
Complete the following and select OK: Name
Enter the name of the FortiMail unit.
Type
Select Subnet/IP Range.
Subnet /IP Range
Enter the IP address of the FortiMail unit.
Interface
Select DMZ.
To configure the incoming policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the external interface connected to the network. Source Address Name
Select ALL for all external sources on the Internet.
Destination Interface/zone
Select the DMZ interface.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
Configure the outgoing mail policy Add a firewall policy for the FortiMail unit to send email messages to destinations on the Internet. To configure the outgoing policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the DMZ interface. Source Address Name
Select the FortiMail unit address from the list.
Destination Interface/zone
Select the external interface connected to the Internet.
Destination Address Select ALL. Name
82
Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Configuring server mode
FortiMail Server in DMZ
Configuring the users’ incoming mail policy Create a firewall policy that permits all SMTP traffic from the FortiMail unit to pass to users on the internal network. Both of the following policies have the internal users as the source of the email traffic. In both receiving and sending email, the user’s email client initiates the connection to the FortiMail server, thus starting the communication (the source). The incoming policy is a POP3 policy that allows users to send requests to the FortiMail unit for new mail on the server. To configure the incoming policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
Select ALL for all internal users on the internal network.
Destination Interface/zone
Select DMZ.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select POP3.
Action
Select ACCEPT.
Configure the users’ outgoing mail policy Add a firewall policy for internal users to send email messages to the FortiMail mail server for scanning and sending to destinations on the Internet. To configure the outgoing policy 1
Go to Firewall > Policy.
2
Select Create New.
3
Complete the following and select OK: Source Interface/zone Select the internal interface connected to the network. Source Address Name
Select ALL for all internal users on the internal network.
Destination Interface/zone
Select DMZ.
Destination Address Select the FortiMail unit address from the list. Name Schedule
Select ALWAYS.
Service
Select SMTP.
Action
Select ACCEPT.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
83
FortiMail Server in DMZ
Configuring server mode
Next Steps The configuration is now complete. Using your email client software, try sending email using the test user to verify that the FortiMail server can send and receive email. If you are having difficulties, review the steps and the values entered to ensure they are correct. See the chapter “Testing and next steps” on page 79 for information on testing the installation and the next steps to complete the installation of your FortiMail unit.
84
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Advanced configuration
Set the date and time
Advanced configuration The preceding chapter described how to configure your FortiMail unit for the network in one of the three modes. The next step is to configure the FortiMail unit to scan email for viruses, providing maximum protection for blended email related threats and increase your users’ productivity. This chapter describes additional configuration you should consider when integrating the FortiMail unit into you network. This chapter includes: •
Set the date and time
•
Updating antivirus signatures
•
Receiving regular antivirus updates
•
Configuring antispam
•
Create profiles
•
Create policies
•
Add users (Server mode)
Set the date and time For effective scheduling and logging, the FortiMail system date and time must be accurate. You can either manually set the system date and time or configure the FortiMail unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server. To set the date and time 1
Go to System > Config > Time.
2
Select your Time Zone from the list.
3
Optionally, select Automatically adjust clock for daylight saving changes check box.
4
Select Set Time and set the FortiMail system date and time.
5
Select OK. Note: If you choose the option Automatically adjust clock for daylight saving changes, the system time must be manually adjusted after daylight savings time ends.
To use NTP to set the FortiMail date and time 1
Go to System > Config > Time.
2
Select Synchronize with NTP Server to configure the FortiMail unit to use NTP to automatically set the system time and date.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
85
Updating antivirus signatures
Advanced configuration
3
Enter the IP address or domain name of the NTP server that the FortiMail unit can use to set its time and date.
4
Specify how often the FortiMail unit should synchronize its time with the NTP server.
5
Select OK.
Updating antivirus signatures You can configure the FortiMail unit to connect to the FortiGuard Distribution Network (FDN) to update the antivirus and antispam definitions. The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When the FortiMail unit connects to the FDN, it connects to the nearest FDS. To do this, all FortiMail units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiMail unit. Before you can begin receiving updates, you must register your FortiMail unit on the Fortinet web page. For information on registering your FortiMail unit, see “Register your FortiMail unit” on page 7. The FortiGuard Center enables you to receive push updates, allow push update to a specific IP address, and schedule updates for daily, weekly, or hourly intervals. To update antivirus definitions 1
Go to System > Update.
2
Select Update Now to update the antivirus definitions. If the connection to the FDN is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. After a few minutes, if an update is available, the System FortiGuard Center page lists new version information for antivirus definitions. The System Status page also displays new dates and version numbers for the antivirus definitions. Messages are recorded to the event log indicating whether the update was successful or not. Note: Updating antivirus definitions can cause a very short disruption in traffic currently being scanned while the FortiMail unit applies the new signature database. To minimize any disruption, schedule updates when traffic is light, for example overnight.
Receiving regular antivirus updates The FortiMail unit enables you to select when and how you want to receive antivirus signature updates. You can either use the FortiGuard push service or scheduled updates. The push service will automatically send the FortiMail unit new antivirus definitions as soon as they are available. While this can slight email scanning disruptions during the update, it ensures that the virus definitions are current, minimizing the possibility of a new virus breaching the network.
86
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Advanced configuration
Receiving regular antivirus updates
By selecting scheduled updates, you define when the FortiMail unit receives the latest antivirus signatures. For example, you can schedule updates every night at 2 am, or weekly on Sunday when email traffic is low. While this may leave your network potentially vulnerable to a brand new virus, it minimizes disruption to the email service, which may be a benefit if your business relies on timely email communications.
Configuring push updates Enable push updates to ensure your FortiMail unit has the most current antivirus signatures available for scanning email. To enable push updates 1
Go to System > Update.
2
Select Allow Push Update.
3
Select Use override push IP if required and enter the IP address and port number. Override push IP addresses and ports are used when there is a NAT device between the FortiMail Unit and the FDN. The FortiMail unit sends the override push IP address and Port to the FDN. The FDN will now use this IP address and port for push updates to the FortiMail unit on the internal network.
4
Select Apply
Scheduling antivirus updates Configure a schedule for the frequency of the antivirus updates. To enable scheduled updates 1
Go to System > Update.
2
Select the Scheduled Update check box.
3
Select one of the following to check for and download updates.
4
Every
Once every 1 to 23 hours. Select the number of hours and minutes between each update request.
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and time of day to check for updates.
Select Apply. The FortiMail unit starts the next scheduled update according to the new update schedule. Whenever the FortiMail unit runs a scheduled update, the event is recorded in the FortiMail event log.
Adding an override server If you cannot connect to the FDN, or if your organization provides updates using their own FortiGuard server, use the following procedures to add the IP address of an override FortiGuard server. To add an override server from the web-based manager 1
Go to System > Update.
2
Select the Use override server address check box.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
87
Configuring antispam
Advanced configuration
3
Type the fully qualified domain name or IP address of a FortiGuard server.
4
Select Apply. The FortiMail unit tests the connection to the override server. If the FDN setting changes to available, the FortiMail unit has successfully connected to the override server. If the FDN stays set to not available, the FortiMail unit cannot connect to the override server. Check the FortiMail configuration and network configuration for settings that would prevent the FortiMail unit from connecting to the override FortiGuard server.
Configuring antispam To combat spam, the FortiMail unit provides a number of methods of filtering unwanted email. If you have a FortiGuard subscription, many of the spam sent is captured using the FortiGuard filtering system. Fortinet employs a team to continually monitor spam patterns and updates the databases daily. There are additional system-wide antispam settings that enable you to train the FortiMail unit as to what is, and what is not spam. These include: •
Black/White lists that enable you to block or allow email from the email addresses or domains you specify
•
Bayesian training to train the Bayesian databases to make the antispam email scanning more accurate.
•
Heuristic training using predefined rules.
Once configured you can incorporate these settings into antispam profiles. The following are a few of the antispam options that you can initiate on the FortiMail unit to stop the flow of spam.
Black/White lists In some cases, some mail tagged as spam is an individual you want to receive mail from, while email that is not caught by the spam filters or users you don’t want to receive email from gets through to your inbox. White lists and blacklists enable you and your users to maintain a list of email addresses that you want or don’t want to receive email from. White lists contain domains and user emails of those you want to receive. It can help to eliminate false positives. Blacklists are the opposite. Users and domains in a blacklist are blocked from sending email to recipients on the network. The FortiMail unit, at the system, session, and personal levels, can block or allow email from the email addresses, domains, or IP addresses you specify. You add the email addresses, domains, or IP addresses that you want to block in the black list, and those that you allow to pass in the white list. The FortiMail unit will be checked against the system and user lists whenever the mail matches any policy, recipient-based or IP-based. Mail will be checked against session lists only when lists are enabled in a session profile specified in an IP-based policy that matches the message traffic, whether or not a recipient-based policy also matches.
88
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Advanced configuration
Configuring antispam
While this can be very effective in maintaining desired lists of users and domains to allow and block, some caution must be taken. They are simple and efficient tools for fighting spam and enhancing performance, but can also cause false positives and false negatives if not used carefully. For example, a white list entry of *.edu would allow all mail from the .edu top level domain to bypass the FortiMail unit's anti-spam scanning. Administrators and users can configure separate black/white lists. Administrators can configure system level lists and personal level lists using the web-based manager, while users can configure and maintain their own personal lists using the web mail interface. System lists precede personal lists. That is, if the FortiMail unit receives an email that is white listed at the system level, and black listed at the personal level, the user will still receive the email. Conversely, if the FortiMail unit receives an email that is black listed at the system level, and white listed at the personal level, the user will not receive the email. To add system level black/white lists 1
Go to AntiSpam > Black/White List > System.
2
Do one of the following: •
To block email, select Black List.
•
To allow email, select White List.
3
Enter the email address, domain, or IP address that you want to block or allow.
4
Select Add. To add personal level black/white lists
1
Go to AntiSpam > Black/White List > Personal.
2
Select the domain of the SMTP server that has the user that you want to configure the Black or White list.
3
Do one of the following: •
If you want to configure the black or white list for an existing user, type the user's username and select OK.
•
If you want to configure the black or white list for a new user, type the user's username and select OK.
4
Turn on Add outgoing email addresses to "White" list if you want the FortiMail unit to treat email sent from these addresses as non-spam email in the future.
5
Do one of the following: •
To block email, select Black List.
•
To allow email, select White List.
6
Enter the email address, domain, or IP address that you want to block or allow.
7
Select Add.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
89
Configuring antispam
Advanced configuration
Bayesian scanning Bayesian scanning is a method of teaching the FortiMail unit what is a spam email and what is not. Bayesian training uses Bayes' theorem of probability. Using this theorem the spam filters take into account the type of words used in spam messages versus those that are not. For every word in these email messages, it calculates the probability of a scanned message being spam based on the proportion of spam occurrences. Bayesian training is a manual process by the admin or email users. For each email received, an email user will “tell” the filter whether it is a good email, spam, or a false positive. The more training, that is, the more a user sends email indicating its status, the more efficient the spam filter will be. Bayesian filters recognize spam messages by looking at the words (or “tokens”) they contain. The Bayesian filter starts with two collections of email, one of known spam and one of known non-spam email. For every word in these email messages, it calculates the probability of a scanned message being spam based on the proportion of spam occurrences. The FortiMail unit can maintain three types of Bayesian databases: global, group, and user. They all work in the same way with the Bayesian scanning engine, but each is designed for a different application: •
Global can be used to scan any or all mail sent and received by the FortiMail unit. There is only one global Bayesian database on a FortiMail unit.
•
Group are maintained on a per-protected-domain basis. This allows the flexibility of a database tailored to filter the mail to each domain.
•
User are maintained on a per-user basis for each protected domain. This allows the user Bayesian database to be fine-tuned to only the mail traffic the user receives.
To configure Bayesian scanning, go to AntiSpam > Bayesian. Configuring Bayesian databases is more involved to ensure it can learn spam from real email. For complete details on Bayesian scanning and how to train the FortiMail unit, see the FortiMail Administration Guide.
Heuristic scanning Heuristic scanning uses a scoring technique based on predetermined terms and words. The rules are broken down into 5 categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. You can fine-tune the threshold values to meet your specific needs. If your email system’s false positive ratio is high, raise the upper level threshold until you achieve a satisfactory ratio. If your spam catch rate is too low, lower the lower level threshold until you achieve a satisfactory rate. The FortiMail default threshold values are recommended as only a starting point. Note that Heuristic scanning is resource intensive. If spam detection rates are acceptable without heuristic scanning by using other antispam methods available in FortiMail (black lists, FortiGuard), consider disabling it or limiting its use to policies dealing with problem hosts. To customize the thresholds and what rules are used, go to AntiSpam > Rules and select and modify the values as required.
90
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Advanced configuration
Create profiles
Create profiles A profile is a collection of FortiMail settings that you specify to filter incoming and outgoing email and to control the email flow. Profiles are selected in policies and run on any traffic the policy controls. The FortiMail unit enables you to create profiles for a number of features. For an initial setup, create profiles for antispam and antivirus. As you continue to develop your email environment, you can add additional profiles for authentication, content and so on.
Antispam profile After creating your antispam configurations, you can add an antispam profile, which uses the settings you have configured and groups them into a single profile which you can apply across various policies. Each profile you add can use different antispam options depending on how you need to use them. To create an antispam profile, go to Profile > AntiSpam > Incoming or Outgoing. When you create an antispam profile you can also define additional antispam measures within the profile including: •
DNSBL - to communicate with DNSBL (DNS Block List) servers to check the IP address of the mail server that delivered the message. If a match is found, the FortiMail unit treats the message as spam.
•
SURBL - to check every URI in the message body. If a match is found, the FortiMail unit treats the message as spam.
•
Banned Word - examines words you add that you want that if in the message should be considered as spam. The message will be considered spam if any match is found.
Most individual spam detection methods allow the selection of an action. The selected action determines what the FortiMail unit does with mail detected as spam by the particular spam detection method. The options available are: •
Subject Tag - enables you to enter the information to appear in the subject line of the spam notification email sent to the recipient by the FortiMail unit. For example, “FortiMail detected spam”. Users can create rules in their client software to direct messages with this tag to a separate folder for later review.
•
Reject - The FortiMail unit rejects the spam and sends reject responses to the sender.
•
Discard - The FortiMail unit discards spam without sending reject responses to the senders.
•
Forward - The FortiMail unit forwards spam to a configured email address.
•
Quarantine - The FortiMail unit redirects detected spam messages to the spam quarantine. The quarantine action is only available for incoming antispam profiles.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
91
Create policies
Advanced configuration
Antivirus profile Antivirus profiles are used by FortiMail to scan email for viruses. FortiMail units update virus signatures online from Fortinet’s update servers around the world. When a virus is found, the FortiMail unit deletes the file that contains the virus and replaces the file with a message notifying the user the infected file has been deleted. To create an antivirus profile, go to Profile > AntiVirus > AntiVirus. As for antispam, antivirus methods also enable you to define an action when a the FortiMail unit finds a virus. The selected action determines what the FortiMail unit does with mail detected with a virus. The options available are: •
Replace Virus Body - This option allows the FortiMail unit to replace the attachment of a virus email with a message that provides information about the virus and source of the email.
•
Reject - The FortiMail unit rejects the email and sends reject responses to the sender.
•
Discard - The FortiMail unit discards the email without sending reject responses to the sender.
Applying profiles After you create the profiles, you apply them to users and user groups to create email filtering and control policies, described below. To customize your email service, you can apply different profiles to different users or user groups. For instance, if you are an Internet Service Provider (ISP), you can create and apply antivirus profiles only to the users who pay for the antivirus service.
Create policies Policies determine if and how incoming and outgoing email is scanned for spam, viruses, and attachment types. Also, policies can determine user account settings, such as authentication type, disk quota, and access to Webmail. There are two types of policies you can configure in FortiMail: •
92
Recipient-based policies that are run on messages sent to a user or user group specified in a policy. Recipient-based policies enable you to define which policies are run on individual messages based on who the message is sent to. Depending on your needs, you can create different recipient-based policies for different email recipients. For example, if you are an ISP, you can create and apply antispam and antivirus profiles only if the customers have paid for those services. In all operating modes, you can create incoming and outgoing recipient-based email policies to protect both the local and remote email recipients.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Advanced configuration
Add users (Server mode)
•
IP-based policies that are run when the IP address matches the client address specified in the policy in gateway and server modes, or both IP addresses match the client and server addresses specified in the policy in transparent mode. In server and gateway modes, IP-based policies are run on connections initiated by a computer specified by the IP address specified in the policy. In transparent mode, IP-based policies are run on connections between two computers, both specified by IP address in the policy.
Recipient-based policies take priority over IP-based policies. Only have one policy applied to any message. The FortiMail unit checks each message for recipientbased policy matches. If a match is found, the recipient-based policy is applied. If no recipient-based policies match, the IP-based policy is applied. This is how all aspects of the policies are applied with the exception of the session profile and the antivirus profile. If no recipient-based policy matches the message and no IP-based policy matches the session, no policies are applied and the mail is delivered. To create email policies go to the Policies menu and select Recipient Based or IP based. Note: Arrange policies in the policy list from most specific at the top to more general at the bottom. Policy matches are checked from the top of the list, downward.
The options available for a policy is unique to whether you are running the FortiMail unit in Transparent/Gateway mode or Server mode. For more details on policy usage and configuration, see the FortiMail Administration Guide.
Add users (Server mode) If you are using the FortiMail unit as your email server, you need to add user names to the FortiMail user list so that people can send email from. FortiMail enables you to add users, create groups of users and mailing lists. Each of these configurations are located in the User menu.
Adding users You can add users in two ways. Add each user individually or import and existing user list from a previous mail server installation. The list must be in comma separated text file (CSV).
Adding groups For easier user management, create user groups that contain users for a specific department or functional group. This group does not have a unique email address.
Adding user alias User aliases are similar to mailing lists. It enables you to add users to specific groupings that use a unique email address. When a user wants to send an email to this group of people, they can send it to one address, rather than try to remember all the recipients individually. For example, [email protected].
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
93
Add users (Server mode)
94
Advanced configuration
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Firmware
Backing up the FortiMail information
Firmware Fortinet periodically updates the FortiMail firmware to include enhancements and address issues. After you have registered your FortiMail unit, FortiMail firmware is available for download at http://support.fortinet.com. Only the FortiMail administrators (whose access profiles contain system configuration read and write privileges) and the FortiMail admin user can change the FortiGate firmware. This chapter includes the following topics: •
Backing up the FortiMail information
•
Using the web-based manager
•
Reverting to a previous firmware version
•
Installing firmware images from a system reboot
Backing up the FortiMail information Before upgrading the FortiMail firmware, it is good practice to backup your configuration information, Bayesian database, Black/White list in the event something goes wrong during the upgrade.
Back up the configuration Backup the FortiMail configuration to a local PC using the web-based manager. To back up the configuration 1
Go to System > Status > Status.
2
In the System Settings area, select Backup.
3
Select Backup System settings and select a location to store the configuration file.
Back up the Bayesian database To backup the bayesian database 1
Go to AntiSpam > Bayesian > DB Maintenance.
2
Select Backup bayesian database.
3
Select Download bayesian database backup file and select a location to store the database file.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
95
Using the web-based manager
Firmware
Back up the Black/White list database To backup the Black/White database 1
Go to AntiSpam > Black/White > Black/White List Maintenance.
2
Select Backup Black/White List.
3
Select Download Black/White list backup file and select a location to store the database file.
Back up the FortiMail mail queue The mail queue contains the email held because it was contains email that the FortiMail unit could not send or cannot return. To back up the mail queue 1
Go to Mail Settings > Mail Queue > Queue Maintenance.
2
Select Backup Queue.
3
Select Download Queue file and select a location to store the mail queue file.
Using the web-based manager The web-based manager provides an easy to use method of upgrading or downgrading the firmware on the FortiMail unit.
Upgrading the firmware Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges.
To upgrade the firmware 1
Download the firmware from the Fortinet Support web site.
2
Copy the firmware image file to your management computer.
3
Log into the web-based manager as the admin administrative user.
4
Go to System > Status.
5
Under System Information > Firmware Version, select Update.
6
Type the path and filename of the firmware image file, or select Browse and locate the file.
7
Select OK. The FortiMail unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiMail login. This process takes a few minutes.
96
8
Log into the web-based manager.
9
Go to System > Status and check the Firmware Version to confirm the firmware upgrade is successfully installed.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Firmware
Using the CLI
Reverting to a previous firmware version Use the same procedure as above to revert your FortiMail unit to a previous firmware version. This procedure reverts the FortiMail unit to its factory default configuration.
Using the CLI The CLI provides an easy to use method of upgrading or downgrading the firmware on the FortiMail unit.
Upgrading the firmware You must have a TFTP server the FortiMail unit can connect to and running to complete the upgrade procedure. Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges.
To upgrade the firmware using the CLI 1
Make sure the TFTP server is running.
2
Copy the new firmware image file to the root directory of the TFTP server.
3
Log into the CLI.
4
Make sure the FortiMail unit can connect to the TFTP server using the ping command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
5
Enter the following command to copy the firmware image from the TFTP server to the FortiMail unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image.out 192.168.1.168 The FortiMail unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n)
6
Type y. The FortiMail unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
97
Using the CLI
Firmware
Reverting to a previous firmware version This procedure reverts the FortiMail unit to its factory default configuration and deletes all white lists, black lists, and bayesian databases.
!
Caution: Reverting to an earlier firmware version will cause you to lose you entire configuration. Before beginning this procedure you should backup your configurations. For details, see “Backing up the FortiMail information” on page 95.
If you are reverting to a previous FortiMail version (for example, reverting from v3.0 to v2.80), you might not be able to restore your previous configuration from the backup configuration file. Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges.
To use the following procedure, you must have a TFTP server the FortiMail unit can connect to. To revert to a previous firmware version 1
Make sure the TFTP server is running.
2
Copy the firmware image file to the root directory of the TFTP server.
3
Log into the FortiMail CLI.
4
Make sure the FortiMail unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168: execute ping 192.168.1.168
5
Enter the following command to copy the firmware image from the TFTP server to the FortiMail unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is v2.80image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore v2.80image.out 192.168.1.168 The FortiMail unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n)
6
Type y. The FortiMail unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n)
7
Type y. The FortiMail unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
98
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Firmware
Using the CLI
Once the FortiMail unit has restarted, load your configuration information onto the unit.
Installing firmware images from a system reboot You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version. This is a useful procedure when you are unable to connect to the FortiMail unit using the web-based manager or the CLI login. To use this procedure, you must connect to the CLI using the FortiMail console port and a RJ-45 to DB-9 or null-modem cable. This procedure reverts the FortiMail unit to its factory default configuration. For this procedure you require a TFTP server that you can connect to from port 1. The TFTP server should be on the same subnet as the internal interface. Before beginning this procedure you should backup your configuration file and lists. See “Backing up the FortiMail information” on page 95 for details.
!
Caution: If you are reverting to a previous FortiMail version (for example, reverting from v3.0 to v2.80), you might not be able to restore your previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus definitions with the definitions included with the firmware release you are installing. After you install new firmware, ensure that antivirus definitions are up to date. For details, see “Updating antivirus signatures” on page 86.
To install firmware from a system reboot 1
Connect to the CLI using the null-modem cable and FortiMail console port.
2
Make sure the TFTP server is running.
3
Copy the new firmware image file to the root directory of the TFTP server.
4
Make sure the internal interface is connected to the same network as the TFTP server.
5
To confirm the FortiMail unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter: execute ping 192.168.1.168
6
Enter the following command to restart the FortiMail unit: execute reboot The FortiMail unit responds with the following message: This operation will reboot the system ! Do you want to continue? (y/n)
7
Type y. As the FortiMail units starts, a series of system startup messages is displayed. When one of the following messages appears: Press any key to display configuration menu....... Immediately press any key to interrupt the system startup.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
99
Testing a new firmware image before installing it
Firmware
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiMail unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,I,Q,or H: 8
Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
9
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
10
Type an IP address that can be used by the FortiMail unit to connect to the FTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.out]:
11
Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiMail unit and messages similar to the following are displayed: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]
12
Type D. The FortiMail unit installs the new firmware image and restarts.
Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. This enables you to try a new firmware image before loading it permanently onto the system.
100
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Firmware
Testing a new firmware image before installing it
After completing this procedure, the FortiMail unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time you restart the FortiMail unit, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrading the firmware” on page 96. For this procedure, you must connect to the CLI using the FortiMail console port and a RJ-45 to DB-9 or null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. For this procedure you require a TFTP server that you can connect to from port 1. The TFTP server should be on the same subnet as the internal interface. Before beginning this procedure you should backup your configuration file and lists. See “Backing up the FortiMail information” on page 95 for details. To test a new firmware image 1
Connect to the CLI using a RJ-45 to DB-9 serial cable or a null-modem cable and FortiMail console port.
2
Make sure the TFTP server is running.
3
Copy the new firmware image file to the root directory of the TFTP server.
4
Make sure the internal interface is connected to the same network as the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168: execute ping 192.168.1.168
5
Enter the following command to restart the FortiMail unit: execute reboot
6
As the FortiMail units starts, a series of system startup messages are displayed. Press any key to display configuration menu........ Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiMail unit reboots and you must log in and repeat the execute reboot command.
7
If you successfully interrupt the startup process, the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,I,Q,or H:
8
Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
101
Installing and using a backup firmware image
9
Firmware
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
10
Type an IP address that can be used by the FortiMail unit to connect to the TFTP server. The following message appears: Enter File Name [image.out]:
11
Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiMail unit and messages similar to the following appear. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]
12
Type R. The FortiMail image is installed to system memory and the FortiMail unit starts running the new firmware image but with its current configuration.
13
You can log into the CLI or the web-based manager using any administrative account.
14
To confirm the new firmware image has been loaded, from the CLI enter: get system status You can test the new firmware image as required.
Installing and using a backup firmware image Once the backup firmware image is installed you can switch to this backup image when required. To run this procedure you: •
Access the CLI by connecting to the FortiMail console port using a RJ-45 to DB-9 serial cable or null-modem cable.
•
Install a TFTP server that you can connect to from the FortiMail as described in the procedure “Installing firmware images from a system reboot” on page 99.
To install a backup firmware image 1
Connect to the CLI using a RJ-45 or DB-9 serial cable or a null-modem cable and FortiMail console port.
2
Make sure the TFTP server is running.
3
Copy the new firmware image file to the root directory of your TFTP server.
4
To confirm the FortiMail unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
102
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Firmware
Installing and using a backup firmware image
5
Enter the following command to restart the FortiMail unit: execute reboot As the FortiMail unit starts, a series of system startup messages are displayed. When of the following message appears: Press any key to enter configuration menu........
6
Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiMail unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following message appears: [G]: [F]: [Q]: [H]:
Get firmware image from TFTP server. Format boot device. Quit menu and continue to boot with default firmware. Display this list of options.
Enter G,F,Q,or H: 7
Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
8
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
9
Type an IP address that can be used by the FortiMail unit to connect to the FTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.out]:
10
Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiMail unit and the following message is displayed. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]
11
Type B. The FortiMail unit saves the backup firmware image and restarts. When the FortiMail unit restarts it is running the previously installed firmware version.
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
103
Installing and using a backup firmware image
104
Firmware
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
Index
Index A
F
A record 15 advanced mode 28 air flow 19 aliases 93 ambient temperature 19 antispam profiles 91 antivirus profiles 92 signatures 86 applying profiles 92
firmware install, backup firmware image 102 re-installing current version 99 reverting to an older version 99 testing new firmware 100 upgrading to a new version 96 upgrading using the CLI 97, 98 FortiGuard push updates 87 scheduling updates 87 updates 86 Fortinet customer service 10 Knowledge Center 10
B backup 95 banned word 91 basic mode 28 Bayesian description 16 scanning 90 black list 88 description 16
C certificate, security 26 comments, documentation 10 configuration backup 95 configuring time 85 conventions, documentation 9 customer service 10
D description A record 15 Bayesian scanning 16 black list 16 grey list 16 heuristic scanning 17 IMAP 14 MTA 15 MUA 15 MX record 14 POP3 13 SMTP 14 white list 16 discard 91, 92 DNSBL 91 documentation commenting on 10 conventions 9 FortiMail 9
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
G gateway mode behind a firewall 30 described 11 in front of a firewall 38 in the DMZ 45 grey list description 16
H heuristic description 17 scanning 90 humidity 19
I IMAP description 14 IP-based policies 93
L logs backup 95
M mail transfer agent 15 mail user agent 15 mailing list 93 management mode 28 modes advanced management 28 basic management 28 MTA description 15 MUA description 15 MX record 14
105
Index
N NTP server 85
O operating temperature 19
P policies IP-based 93 recipient-based 92 POP3 description 13 profiles antispam 91 antivirus 92 applying 92 push updates 87
server mode behind a firewall 66 described 13 in front of a firewall 72 in the DMZ 78 sheduling updates 87 SMTP description 14 subject tag 91 SURBL 91
T technical support 10 time, configuring 85 transparent mode described 12 in front of an email server 56 protecting the email hub 60
Q
U
quarantine 91 Quick Start Wizard 28
upgrading firmware 96 firmware using the CLI 97, 98 user adding 93 alias 93 groups 93
R recipient-based policies 92 registering FortiGate unit 7 reject 91, 92 reverting, to an older firmware version 99
S security certificate 26
V virtual IP 35
W white list 88 description 16 Wizard (Quick Start) 28
106
FortiMail Version 3.0 MR2 Install Guide 06-30002-0234-20071212
www.fortinet.com
www.fortinet.com
